关联漏洞
标题:Citrix Systems NetScaler ADC和NetScaler Gateway 安全漏洞 (CVE-2023-4966)Description:Citrix Systems Citrix NetScaler Gateway(Citrix Systems Gateway)和Citrix Systems NetScaler ADC都是美国思杰系统(Citrix Systems)公司的产品。Citrix NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据。Citrix Systems NetScaler ADC是一个应用程序交付和安全平台。 NetScale
Description
Python script to search Citrix NetScaler logs for possible CVE-2023-4966 exploitation.
介绍
# Scan for CVE-2023-4966 IoCs
## Script: check-cve-2023-4966.py
The script searches the Citrix NetScaler logs for possible CVE-2023-4966 exploitation.
### Usage
```
usage: check-cve-2023-4966.py [-h] [--nologline] logdir_path
Python script to check CitrixNetScaler logs for possible CVE-2023-4966 exploitation
positional arguments:
logdir_path path to NetScaler log files (located on the NetScaler in the directory /mnt/temp/log/)
options:
-h, --help show this help message and exit
--nologline do not print the logline
```
### Example
```bash
$ python check-cve-2023-4966.py NetScaler/log/mnt/temp/log/ --nologline
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
```
## Citrix XenDesk/XenApp Monitoring Database
Citrix XenDesk and XenApp sessions are logged in the monitoring database.
With this monitoring database it is possible to find the sessions and worker machines which might be used after successful exploitation.
The helper directory contains sql queries to check the monitoring database.
### machines.sql
Script to get the machine id, name and ip address.
## last-sessions.sql
Query to get sessions from a specific machine (MachineId).
## session query
Query to get additionl sessions information for a specific machine (MachineId) and user.
文件快照
[4.0K] /data/pocs/312c130873f055c6d28cb559ddbd216b3254d797
├── [3.0K] check-cve-2023-4966.py
├── [4.0K] helper
│ ├── [ 275] last-sessions.sql
│ ├── [ 89] machines.sql
│ └── [ 604] session-query.sql
├── [1.0K] LICENCE
└── [2.5K] README.md
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。