弱密码漏洞
弱密码工具
本工具是根据github上的原有工具进行修改的,原工具只有3个弱密码扫描,这里增加到了9个弱密码扫描,原工具传送门
并修改了用户名和密码的使用方式;
本工具目前可对SSH、postgresql、Redis、MySQL、mongoDB、FTP、sqlserver(mssql)、Dahua(大华)、hikvision(海康威视);这9个软件/Web进行弱密码扫描;
代码语言:python3
用户名-密码集合
username_dict 字典是各个类别的用户名,可自行增加;
passwords_list 列表是通用的密码字段,其中{user}是用来替换用户名字段,可自行增加修改;
username_dict = {
"ftp": ["ftp", "anonymous"],
# "ftp": ["ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"],
"mysql": ["root", "mysql", "admin", "test"],
"mssql": ["sa"],
# "smb": ["administrator", "admin", "guest"],
# "rdp": ["administrator", "admin", "guest"],
"postgresql": ["postgres", "admin"],
"ssh": ["root", "admin"],
"mongodb": ["root", "admin"],
# "oracle": ["sys", "system", "admin", "test", "web", "orcl"],
"dahua": ["admin", "dahua", "root", "test"],
"hikvision": ["admin"]
}
passwords_list = ["123456", "12345", 'asdf1234', 'abc12345', '12345{user}', "{user}12345", '12345abc',"admin", "admin123", "root",
"", "pass123", "pass@123", "password", "123123", "654321", "111111",
"123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123",
"{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!",
"P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789",
"123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888","888888", "!QAZ2wsx",
"1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456",
"a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#",
"Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789","pwd@123456"]
1、SSH弱密码
部分关键代码如下:
name, pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(hostname=self.host,port=self.port,username=name,password=pwd,timeout=self.timeout)
time.sleep(0.05)
ssh.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
2、postgresql弱密码
部分关键代码如下:
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
pgscon = psycopg2.connect(host=self.host, port=self.port, user=name, password=pwd)
time.sleep(0.02)
pgscon.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
# print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
3、redis弱密码
redis默认是没有用户名的,所以这里只用到密码合集内容
关键代码如下:
pwd = self.qlist.get()
if "{user}" in pwd:
pwd = pwd.replace("{user}", "redis")
try:
conn = redis.Redis(host=self.host, port=self.port, password=pwd)
conn.ping()
# time.sleep(0.05)
s = "[OK] :%s" % (pwd)
if pwd == "":
s += "(no password)"
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(':' + pwd)
time.sleep(1)
except Exception as e:
error = "[Error] :%s" % (pwd)
self.show_log(self.host,error)
pass
4、MySQL弱密码
关键代码如下:
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
conn = pymysql.connect(host=self.host, user=name, passwd=pwd, db='mysql', port=self.port)
if conn:
# time.sleep(0.05)
conn.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
# print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
5、mongodb弱密码
mongoDB这里是针对不同pymongo版本使用不同方法,4.0版本之前和之后的调用方法不一样,这里做了判断,不影响
关键代码如下:
pymongo_ver = pymongo.version
name, pwd = self.qlist.get().split(':')
if"{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
if int(pymongo_ver.split(".")[0]) >= 4:
conn = pymongo.MongoClient(host=self.host, port=self.port, username=name, password=pwd, socketTimeoutMS=3000)
conn.list_database_names()
else:
conn = pymongo.MongoClient(host=self.host, port=self.port, socketTimeoutMS=3000)
if name or pwd:
db = conn.admin
db.authenticate(name, pwd)
else:
conn.list_database_names()
conn.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
# print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
6、FTP弱密码
FTP弱密码这里是要做匿名登录的,先进行匿名登录尝试,然后在使用用户名和密码进行扫描
关键代码如下:
# 匿名登录
try:
if not self.is_exit:
ftpclient = ftplib.FTP()
ftpclient.connect(host=self.host, port=self.port)
ftpclient.login()
ftpclient.close()
s = "[OK] %s:%s" % ("匿名登录", "匿名登录")
self.show_log(self.host, s)
self.result.append(s)
self.is_exit = True
self.qlist.queue.clear()
except Exception as e:
print("匿名登录error:", e)
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
ftpclient = ftplib.FTP()
ftpclient.connect(host=self.host, port=self.port, timeout=3)
ftpclient.login(name, pwd)
ftpclient.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
7、sqlserver(mssql)弱密码
sqlserver就是mssql
关键代码如下:
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
conn = pymssql.connect(host=self.host, port=self.port, user=name, password=pwd)
if conn:
# time.sleep(0.05)
conn.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
8、dahua(大华)弱密码
关键代码如下:
ip = self.host + ":" + self.port
url = f"http://{ip}/RPC2_Login"
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
'Host': ip,
'Origin': 'http://' + ip,
'Referer': 'http://' + ip,
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Connection': 'close',
'X-Requested-With': 'XMLHttpRequest',
}
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
print(name,pwd)
_json = {
"method": "global.login",
"params": {
"userName": name,
"password": pwd,
"clientType": "Web3.0",
"loginType": "Direct",
"authorityType": "Default",
"passwordType": "Plain",
},
"id": 1,
"session": 0,
}
try:
r = requests.post(url, headers=headers, json=_json, verify=False, timeout=5)
if r.status_code == 200 and r.json()['result'] == True:
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
print("Timeout")
except Exception as e:
print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
9、hikvision(海康威视)弱密码
关键代码如下:
ip = self.host + ":" + self.port
url = f"http://{ip}/ISAPI/Security/userCheck"
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
'Connection': 'close'
}
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
# print(name,pwd)
try:
r = requests.get(url, auth=(name, pwd), timeout=10, headers=headers, verify=False)
print(r.status_code)
print(r.text)
if r.status_code == 200 and 'userCheck' in r.text and 'statusValue' in r.text and '200' in r.text:
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
print("Timeout")
except Exception as e:
print(e)
# error = "[Error] %s:%s" % (name,pwd)
# self.show_log(self.host,error)
pass
工具源码地址
github地址:WeakpassScan