Solve the problem of the POC script adaptive to multiple URLs

Source: Internet
Author: User
Tags atlassian confluence

In the process of bulk POC, the URL states we collect are often different.
So we need to handle the URL uniformly so that the POC script can accurately validate each URL

We provide examples of actual vulnerabilities and give my bulk POC solution.

Vulnerability example

Atlassian confluence 5.8.17 A vulnerability existed in previous versions of the vulnerability spaces/viewdefaultdecorator.action and the admin/viewdefaultdecorator.action file did not have sufficient filtering ‘decoratorName‘ parameters. The vulnerability could be exploited by a remote attacker to read a configuration file.

Detailed reference:

The file traversal exploits are simple and can be used to list the current directory files as long as you access this location:

Now we have the following types of URLs in the search engine:

1 wiki.kuali.org2

Now we consider how the POC can be written to accommodate these different forms of URLs

Solution Solutions

The first two of our unified URL format, so that the POC script can be opened correctly. And the third fourth situation, we collected the URL has a multi-level directory, and even the post parameters, we start from which layer to add payload to do the verification?

One way I'm going to do this is to sort out the format first, then take out the useful parts of the URL to synthesize the new URL, and then combine the traversal for multiple directories.

Operation Process
    1. Original URL:
    2. Extracted URLs:
      Protocol: http
      Domain Name:
      Port: 8090
      Path: /confluence/display/Hive/HCatalog/
      Params: id=2
    3. To decompose Path
      Path_list = [' Confluence ', ' Display ', ' Hive ', ' Hcatalog ']
    4. Remove the useless parts, enumerate the path fields, and combine them into a new URL
      Poc_list = [
      ' ',
      ' Http:// ',
      ' Http:// ',
      ' Http:// ',
      ' Http:// '
    5. Add validation to the end of each URL string in 4 /spaces/viewdefaultdecorator.action?decoratorName=.
Batch Practice

Using the Python built-in module urlparse to format the URL, I added the following two functions to meet our needs.

 def get_domain(URL):    "" " added by CDXY 8 sun,2016 use:get_domain (' ') Return: ' H Ttp:// ' "" "p = urlparse (URL)returnUrlunsplit ([P.scheme, P.netloc,"',"',"']) def iterate_path(ori_str):    "" " added by CDXY 8 sun,2016 use:iterate_path_to_list (' ') Ret urn: [' ', '' ' ', ' http :// ', ' '] "" "Parser = Urlparse (ori_str) _ans_list = [Ori_str] _ans_list.append (Get_domain (ori_str)) _path_list = PARSER.PATH.R Eplace ('//','/'). Strip ('/'). Split ('/') s ="'     foreachinch_path_list:s + ='/'+ Each _ans_list.append (Urljoin (ORI_STR, s))return_ans_list

The POC script for this vulnerability is now integrated into my concurrency framework:

The scan result 326 / 736 hit rate is still quite high:

    • Concurrency Framework Https://
    • Modified
    • This vulnerability authentication Module

Solve the problem of the POC script adaptive to multiple URLs

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.