CVE-2023-4966 PoC — Citrix Systems NetScaler ADC和NetScaler Gateway 安全漏洞

Source

https://github.com/jmussmann/cve-2023-4966-iocs

Associated Vulnerability

Title:Citrix Systems NetScaler ADC和NetScaler Gateway 安全漏洞 (CVE-2023-4966)
Description:Citrix Systems Citrix NetScaler Gateway（Citrix Systems Gateway）和Citrix Systems NetScaler ADC都是美国思杰系统（Citrix Systems）公司的产品。Citrix NetScaler Gateway是一套安全的远程接入解决方案。该方案可为管理员提供应用级和数据级管控功能，以实现用户从任何地点远程访问应用和数据。Citrix Systems NetScaler ADC是一个应用程序交付和安全平台。 NetScale

Description

Python script to search Citrix NetScaler logs for possible CVE-2023-4966 exploitation.

Readme

# Scan for CVE-2023-4966 IoCs

## Script: check-cve-2023-4966.py

The script searches the Citrix NetScaler logs for possible CVE-2023-4966 exploitation.

### Usage

```
usage: check-cve-2023-4966.py [-h] [--nologline] logdir_path

Python script to check CitrixNetScaler logs for possible CVE-2023-4966 exploitation

positional arguments:
  logdir_path  path to NetScaler log files (located on the NetScaler in the directory /mnt/temp/log/)

options:
  -h, --help   show this help message and exit
  --nologline  do not print the logline
```

### Example

```bash
$ python check-cve-2023-4966.py NetScaler/log/mnt/temp/log/ --nologline
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
```

## Citrix XenDesk/XenApp Monitoring Database

Citrix XenDesk and XenApp sessions are logged in the monitoring database.
With this monitoring database it is possible to find the sessions and worker machines which might be used after successful exploitation.

The helper directory contains sql queries to check the monitoring database.

### machines.sql

Script to get the machine id, name and ip address.

## last-sessions.sql

Query to get sessions from a specific machine (MachineId).

## session query

Query to get additionl sessions information for a specific machine (MachineId) and user.

File Snapshot


 [4.0K]  /data/pocs/312c130873f055c6d28cb559ddbd216b3254d797
├── [3.0K]  check-cve-2023-4966.py
├── [4.0K]  helper
│   ├── [ 275]  last-sessions.sql
│   ├── [  89]  machines.sql
│   └── [ 604]  session-query.sql
├── [1.0K]  LICENCE
└── [2.5K]  README.md

1 directory, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!