【批量检测】致翔OA-msglog-aspx-SQL注入漏洞

用python写了个poc，方便批量检测。原理就是检测出现漏洞的路径是否存在，并不能完全意义上的检测漏洞。需要自我甄别。

import requests
import sys

cunzailist = []
def title():
    print('+------------------------------------------')
    print('Version：致翔OA-msglog-aspx-SQL注入漏洞              ')
    print('author：wanheiqiyihu                        ')
    print('use：exploit.py url.txt             ')
    print('注意：在url.txt的最后一行打上换行符，不然会读取错误')
    print('+------------------------------------------')
def Poc(url):

    payload_test = '/mainpage/msglog.aspx?user=1'
    print('正在扫描'+url)
    while True:
        try:
            response_test = requests.get(url='http://' + url + payload_test,timeout=3)
            content = response_test.status_code
            if content == 200:
                print("存在漏洞")
                cunzailist.append(url)
                break
            else:
                print('不存在漏洞')
                break
        except:
            print('请求错误')
            break

if __name__ == "__main__":
    title()
    filepath = sys.argv[1]
    file_object = open(filepath,'r')

    try:
        while True:
            line = file_object.readline()
            if line:
                print("line=", line)
                liine = line[:-1]
                Poc(url=liine)
            else:
                break
    finally:
        file_object.close()
    
    for item in cunzailist:
        print(item)