来源

关联漏洞

描述

CVE-2025-10035_GoAnywhere Get RCE

介绍

# GoAnywhere CVE-2025-10035 Checker

![GoAnywhere Logo](./go-anywhere.jpg)

**Description**  
A lightweight Python **checker** that detects whether a GoAnywhere instance is vulnerable to **CVE‑2025‑10035**.  
This tool sends a crafted GET request with a randomized `User-Agent` (using `fake-useragent` with a fallback list), does **not** follow redirects, inspects the `Location` header, and classifies the instance as **Unpatched (vulnerable)** or **Patched (not vulnerable)**.  
> Note: this repository currently contains **only the checker**. A PoC may be added later in a separate, clearly-labeled location if/when appropriate — for now this project is detection-only.

---

## Vulnerability overview

**CVE‑2025‑10035 (summary for this checker)**  
An unpatched GoAnywhere AdminErrorHandlerServlet may generate a valid license request token and return it embedded in a redirect URL. That token commonly appears as a `bundle` query parameter in the `Location` header (often redirecting to `my.goanywhere.com`).

- **Unpatched (Vulnerable)** — A crafted request results in an HTTP redirect to `my.goanywhere.com` (or another host) **with a `bundle` query parameter**. Presence of `bundle` = vulnerable.
- **Patched (Not vulnerable)** — The fixed instance either redirects to a local path such as `/license/Unlicensed.xhtml` **without** `bundle`, or does **not** redirect.

> Ethical reminder: **only** run this checker against systems you own or are explicitly authorized to test. Unauthorized scanning may be illegal and/or disruptive.

---

## Features
- Random `User-Agent` per request (`fake-useragent` + fallback list).  
- Does **not** follow redirects (`allow_redirects=False`) so the `Location` header can be inspected.  
- Multi-threaded scanning via `multiprocessing.dummy.Pool`.  
- Colorized terminal output using `colorama`.  
- Vulnerable targets appended to a results file.

---

## Requirements

- Python 3.8+ (3.10+ recommended)  
- Python packages:
  - `requests`
  - `fake-useragent`
  - `colorama`
  - `urllib3` (usually installed with `requests`)

**requirements.txt**

---


## Install dependencies:

  python -m venv .venv        # optional but recommended
  source .venv/bin/activate   # macOS / Linux
  .venv\Scripts\activate    # Windows
  pip install -r requirements.txt

---

## Usage Examples

Below are practical examples you can copy/paste to run the checker in different scenarios: single-target rapid test, batch scanning, low-rate scanning for production safety, running inside Docker, and a minimal GitHub Actions snippet to run the checker periodically or on push.

> These examples assume your script file is named `check_goanywhere.py` and is executable with `python check_goanywhere.py`. Adjust filenames, paths, and thread counts to suit your environment.

---

### 1) Basic — scan a list of targets (default threads)
```bash
# Scan targets listed in examples/targets.txt and append vulnerable hosts to results.txt
python check_goanywhere.py examples/targets.txt results.txt

# Use 10 worker threads for faster scanning (be careful with concurrency against production)
python check_goanywhere.py examples/targets.txt results.txt 10

----

## Sample Output

Below are realistic sample outputs you can expect when running the checker. All examples assume the default banner prints at start; lines in `[]` show the colored status messages the script prints to the terminal. After the scan, vulnerable hosts are appended to the results file.

- [-] Not Vulnerable: https://0.0.0.0:443 - n/N
- [-] Erorr: http://0.0.0.0:8000 - n/N
- [-] Erorr: https://0.0.0.0:443 - n/N
- [-] Erorr: https://0.0.0.0:443 - n/N
- [-] Erorr: https://0.0.0.0:443 - n/N
- [-] Not Vulnerable: https://0.0.0.0:443 - n/N
- [+] Vulnerable: https://0.0.0.0:443 - n/N

文件快照

 [4.0K]  /data/pocs/59bc8c40c5685776e426f16870b7ce5e83721a83
├── [6.4K]  check_goanywhere.py
├── [ 21K]  go-anywhere.jpg
├── [3.7K]  README.md
└── [  41]  requirements.txt

0 directories, 4 files

备注