POC详情: 2d8b7b695fb5a2e11101053b04db1e95ee811af4

来源
关联漏洞
标题: Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞 (CVE-2019-19781)
描述:Citrix Systems NetScaler Gateway(Citrix Systems Gateway)和Citrix Application Delivery Controller(ADC)都是美国思杰系统(Citrix Systems)公司的产品。Citrix Systems NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Application Delivery Controll
描述
A fast multi threaded scanner for Citrix ADC (NetScaler) CVE-2019-19781 - Citrixmash / Shitrix
介绍
# CVE-2019-19781 citrixmash scanner

A multithreaded scanner for Citrix appliances that are vulnerable to CVE-2019-19781.
The scanner does not attempt to compromise/exploit hosts and avoids downloading any sensitive content. A `HEAD` request is used to determine if a target is vulnerable. False positives are reduced by verifying a specific value in the content-length header response.

citrixsmash_scanner is capable of accepting both network ranges and accepting individual hosts. 

## Installation 
```
$ go get -u github.com/x1sec/citrixmash_scanner
```
Alternatively, compiled 64-bit executable files for Windows, Mac and Linux are available [here](https://github.com/x1sec/citrixmash_scanner/releases/)

## Usage
```
$ ./citrixsmash_scanner -h
  -e  Evade IDS with ASCII encoding (default true)
  -f string
      File containing list of hosts
  -n string
      Network in CIDR format (e.g. 192.168.0.0/24)
  -o string
      Write results to text file
  -t int
      HTTP timeout (seconds) (default 2)
  -u string
      Custom user agent string
  -v  Verbose
  -w int
      Number of concurrent workers (default 20)
```

Requests are concurrent with a default of 20 workers/threads. To speed up the scanning, increase workers (`-w`) and/or reduce the HTTP timeout (`-t`)

If either the `-n` or `f` parameters are omitted, citrixmash_scanner will accept input from stdin. 
For example, using subdomain enumeration with [assetfinder](https://github.com/tomnomnom/assetfinder):
```
$ assetfinder corp.com | ./citrixmash_scanner 
```

Or for scanning a complete Autonomous System with [xpasn](https://github.com/x1sec/xpasn):
```
$ xpasn AS394161 | ./citrixmash_scanner 
```

Targets can be mixed (http, https), and include networks in CIDR format. If `http` or `https` is ommitted, then `https` will be used. The following is a valid target list:
```
$ cat targets.txt
http://target1.com
https://target2.org
192.168.0.2
http://10.0.0.4
10.0.20.0/24
```

Use the `-o <filename`> option to write vulnerable hosts to a text file.

### Example usage:
Options: verbose info (`-v`), 50 parallel workers (`-w`), 1 second timeout (`-t`), scanning subnet (`-n`) and also including hosts from `target.txt` (`-f`):

```
$ ./citrixmash_scanner -v -t 1 -w 50 -n 192.168.10.0/24 -f targets.txt 

Citrix CVE-2019-19781 Scanner
Author: https://twitter.com/x1sec
Version: 0.4

[+] Testing 255 hosts with 20 concurrent workers ..

[!] https://192.168.10.5/ is vulnerable
[*] INFO: speed: 7 req/sec, sent: 106/255 reqs, vulnerable: 1
[!] https://10.10.0.8/ is vulnerable

[+] Done! 2 host(s) vulnerable
```

### Changelog:
| version | date | changes |
|:---|:---|:---|
| v0.4 | 16/01/20 | Accept targets from stdin, fixed exit issue with -v option, added -o option |
| v0.3 | 15/01/20 | Added evasion bypass (credit: [Fireeye](https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)  / [@itsreallynick](https://twitter.com/ItsReallyNick)) |
| v0.2 | 13/01/20 | Check content-length of smb.conf to reduce false positives |
| v0.1 | 13/01/20 | Initial release |


*Disclaimer: This tool is intended for legal activities such as penetration testing, bug bounty hunting on authorized assets and to help secure networks. The author holds no responsibility for it's use.*

文件快照
 [4.0K]  /data/pocs/2d8b7b695fb5a2e11101053b04db1e95ee811af4
├── [ 223]  build.sh
├── [1.0K]  LICENSE
├── [6.0K]  main.go
└── [3.2K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。