-
Notifications
You must be signed in to change notification settings - Fork 8
/
scan_logs.py
38 lines (28 loc) · 1.3 KB
/
scan_logs.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python3
from glob import glob
import argparse
import os
import sys
def main():
parser = argparse.ArgumentParser(description="Evaluate if the CrushFTP File Read vulnerability was exploited")
parser.add_argument("dir", type=str, help="Path to CrushFTP installation directory")
args = parser.parse_args()
if not os.path.exists(os.path.join(args.dir, "CrushFTP.jar")):
print(f"[!] The following directory does not look like a CrushFTP installation folder: {args.dir}")
return 1
log_files = [os.path.join(args.dir, "CrushFTP.log")] + glob(os.path.join(args.dir, "logs", "session_logs", "*", "session_HTTP_*.log")) + glob(os.path.join(args.dir, "logs", "CrushFTP.log*"))
for fname in log_files:
with open(fname, "r") as f:
txt = f.read()
if "<INCLUDE>" in txt:
lines = [l for l in txt.split("\n") if "<INCLUDE>" in l]
for l in lines:
try:
ip = l.split("|")[2].split(":")[3].split("]")[0]
print(f"{fname}: traces of exploitation by {ip}")
except IndexError:
print(f"{fname}: traces of exploitation")
else:
print(f"{fname}: traces of exploitation")
if __name__ == "__main__":
sys.exit(main() or 0)