53 lines
2.2 KiB
Python
53 lines
2.2 KiB
Python
# -*- coding: utf-8 -*-
|
||
import requests
|
||
|
||
'''
|
||
Usage:
|
||
moon.py -u tomcat http://127.0.0.1:8080
|
||
影响范围:Tomcat: 全版本
|
||
session操纵漏洞:Apache Tomcat默认安装包含”/examples”目录,里面存着众多的样例,
|
||
其中session样例(/examples/servlets/servlet/SessionExample)允许用户对session进行操纵。
|
||
因为session是全局通用的,所以用户可以通过操纵session获取管理员权限。
|
||
(不一定都是全局的,如果path只在examples下,那就无法利用)。
|
||
利用此漏洞需要知道相关后台登录后的session键值对,然后写入到session中,利用条件苛刻。
|
||
https://cloud.tencent.com/info/2e03f26090fe592b6c7aa933dd6c0f94.html
|
||
解决办法:安装完tomcat后,删除$CATALINA_HOME/webapps下默认的所有目录文件* rm -rf /srv/apache-tomcat/webapps/*
|
||
'''
|
||
|
||
def attack(URL):
|
||
urls = (
|
||
'/examples/servlets/servlet/SessionExample', #200
|
||
'/examples/', #304
|
||
'/docs/', #304
|
||
'/docs/BUILDING.txt',
|
||
'/docs/RUNNING.txt',
|
||
'/manager/html', # 401
|
||
'/host-manager/html', #401
|
||
'/icons/',
|
||
'/manual/',
|
||
'/examples/jsp/snp/snoop.jsp'
|
||
)
|
||
|
||
print('[+]开始检测-Tomcat-example_vulnerability。[+]')
|
||
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
|
||
headers={"User-Agent":user_agent}
|
||
for url in urls:
|
||
url = URL + url
|
||
try:
|
||
verify_response = requests.get(url, headers=headers)
|
||
|
||
if verify_response.status_code == 200 or 304 or 401:
|
||
try:
|
||
print('页面返回状态码:'+str(verify_response.status_code)+' '+'页面返回大小为:'+str(len(verify_response.text))+' '+url) # 因为部分网站设置了统一的404页面,造成误报,因此添加返回长度来进行辅助判断
|
||
except Exception:
|
||
pass
|
||
else:
|
||
continue
|
||
except Exception:
|
||
print("Someerror!")
|
||
print('[+]检测结束-Tomcat-example_vulnerability。[+]')
|
||
print('\n')
|
||
|
||
if __name__ == "__main__":
|
||
attack()
|