POC详情: 042e120c66ea2ba86c083b631c9004e7cffcfe75

来源
https://github.com/Chocapikk/CVE-2023-4966
关联漏洞
标题: Citrix Systems NetScaler ADC和NetScaler Gateway 安全漏洞 (CVE-2023-4966)
描述:Citrix Systems Citrix NetScaler Gateway(Citrix Systems Gateway)和Citrix Systems NetScaler ADC都是美国思杰系统(Citrix Systems)公司的产品。Citrix NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Systems NetScaler ADC是一个应用程序交付和安全平台。 NetScale
描述
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
介绍
# CVE-2023-4966 Citrix Memory Leak Exploit 🔒

Leak session tokens from vulnerable Citrix ADC instances affected by CVE-2023-4966. ⚠️

## Description 📃

This Python script exploits CVE-2023-4966, a critical vulnerability in Citrix ADC instances that allows unauthenticated attackers to leak session tokens. The vulnerability is assigned a CVSS score of 9.4 and is remotely exploitable without user interaction. Citrix NetScaler appliances configured as Gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers are vulnerable to this attack. :skull_and_crossbones:

## Usage 💻

```bash
$ OPENSSL_CONF=./openssl.cnf python3.10 exploit.py -h
```

Options:
- `-h, --help`: Show the help message and exit. ℹ️
- `-u URL, --url URL`: Specify the Citrix ADC / Gateway target (e.g., https://192.168.1.200). 🔗
- `-f FILE, --file FILE`: Provide a file containing a list of target URLs (one URL per line). 📁
- `-o OUTPUT, --output OUTPUT`: Specify the file to save the output results. 💾
- `-v, --verbose`: Enable verbose mode. 🔊
- `--only-valid`: Only show results with valid session tokens.

## How to Use 💡

1. Clone the repository:
   ```bash
   $ git clone https://github.com/Chocapikk/CVE-2023-4966.git
   $ cd CVE-2023-4966
   ```

2. Run the exploit:

   For a single target:
   ```bash
   $ OPENSSL_CONF=./openssl.cnf python3.10 exploit.py -u https://target.example.com
   ```

   For multiple targets listed in a file:
   ```bash
   $ OPENSSL_CONF=./openssl.cnf python3.10 exploit.py -f targets.txt --only-valid
   ```

   Use the `-o` flag to specify an output file for the results:

   ```bash
   $ OPENSSL_CONF=./openssl.cnf python3.10 exploit.py -u https://target.example.com -o results.txt --only-valid
   ```

   To enable verbose mode, use the `-v` flag. 🔊

## Credits 👏

This exploit is inspired by the research conducted by [Assetnote](https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966). 🙌

## Disclaimer ⚠️

This script is provided for educational and research purposes only. Use it responsibly and only on systems you have permission to test. 🛡️

---

## Note 📝

During my research, I found that the session cookies always end with the hex sequence `45525d5f4f58455e445a4a42`. Incorporating this information can greatly enhance the accuracy of session token detection.
文件快照

 [4.0K]  /data/pocs/042e120c66ea2ba86c083b631c9004e7cffcfe75
├── [7.3K]  exploit.py
├── [ 172]  openssl.cnf
├── [2.3K]  README.md
└── [  65]  requirements.txt

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。