Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-19781 PoC — Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞

Source
https://github.com/nmanzi/webcvescanner
Associated Vulnerability
Title:Citrix Application Delivery Controller和Citrix Systems Gateway 路径遍历漏洞 (CVE-2019-19781)
Description:An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
Description
Gather a list of Citrix appliances in a country / state pair, and check if they're vulnerable to CVE-2019-19781
Readme
# shitsniffer
Gather a list of Citrix appliances in a country / state pair, and check if they're vulnerable to CVE-2019-19781. Results are output as JSON which can be wrangled quite nicely into a meaningful PowerBI report.

It does this by querying Shodan for all results in a particular country matching a search string. By default, it searches `country:AU has_ssl:true` with the search string `"Set-Cookie: pwcount=0"`

To check for vulnerability, we see if a `HEAD` for `https://<HOST>/vpn/%2E%2E/vpns/cfg/smb.conf` returns a status `200`. This means directory traversal is allowed, and the patch or workaround has not been applied to the host.

## Setup
You'll need to download the GeoLite2 ASN and City DBs, which will resolve details on discovered hosts. You can find the downloads here: https://dev.maxmind.com/geoip/geoip2/geolite2/

Place the .mmdb files into a folder named geolite under where you extracted shitsniffer.py

## Usage
```
usage: shitsniffer.py [-h] [-t TARGETHOST] [-f RESULTSFILE] [-d DATAFILE]
                      [-a APIKEY] [-c COUNTRY] [-s SEARCHSTRING] [-n]
                      [-l LIMIT]

OPTIONS:
  -h, --help            show this help message and exit
  -t TARGETHOST, --targethost TARGETHOST
                        Host to check, will scan shodan if not specified
  -f RESULTSFILE, --resultsfile RESULTSFILE
                        Where to save the scanner output json file
  -d DATAFILE, --datafile DATAFILE
                        Path to save/load shodan data file (saves query
                        credits)
  -a APIKEY, --apikey APIKEY
                        Your shodan.io API key
  -c COUNTRY, --country COUNTRY
                        Country to search
  -s SEARCHSTRING, --searchstring SEARCHSTRING
                        Additional search arguments
  -n, --no-color        Output without color
  -l LIMIT, --limit LIMIT
                        Process this many hosts from shodan data

Example: python shitsniffer.py -a <API key> -d shodan-DDMMYY.json -f output-DDMMYY.json
```

## Thanks
Thanks goes to Diverse Services for allowing me time to indulge myself with this endeavour.
File Snapshot

 [4.0K]  /data/pocs/851502d02e6ec6f3260e7d9e8a5fb2587f11ae53
├── [ 34K]  LICENSE
├── [2.1K]  README.md
└── [9.0K]  shitsniffer.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →