exploit.py

#coding:utf-8
#Author:se55i0n
import requests
import MySQLdb
import socket
import cx_Oracle
import pymongo
import psycopg2
import binascii
from config import *

class check(object):
	def mysql(self, ip):
		for pwd in passwd:
			try:
				pwd = pwd.replace('{user}', 'root')
				conn = MySQLdb.connect(ip, 'root', pwd, 'mysql')
				print u'{}[+] {}:3306  Mysql存在弱口令: root  {}{}'.format(G, ip, pwd, W)
				conn.close()
				break
			except Exception as e:
				pass

	#author:hos@YSRC
	def mssql(self, ip):
		for pwd in passwd:
			try:
				pwd = pwd.replace('{user}', 'sa')
				s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
				s.connect((ip, 1433))
				husername = binascii.b2a_hex('sa')
				lusername = len('sa')
				lpassword = len(pwd)
				hpwd = binascii.b2a_hex(pwd)
				address = binascii.b2a_hex(ip) +'3a'+ binascii.b2a_hex(str(1433))
				data1 = data.replace(data[16:16+len(address)], address)
				data2 = data1.replace(data1[78:78+len(husername)], husername)
				data3 = data2.replace(data2[140:140+len(hpwd)], hpwd)
				if lusername >= 16:
					data4 = data3.replace('0X', str(hex(lusername)).replace('0x', ''))
				else:
					data4 = data3.replace('X', str(hex(lusername)).replace('0x', ''))
				if lpassword >= 16:
					data5 = data4.replace('0Y', str(hex(lpassword)).replace('0x', ''))
				else:
					data5 = data4.replace('Y', str(hex(lpassword)).replace('0x', ''))
				hladd = hex(len(ip) + len(str(1433))+1).replace('0x', '')
				data6 = data5.replace('ZZ', str(hladd))
				data7 = binascii.a2b_hex(data6)
				s.send(data7)
				if 'master' in s.recv(1024):
					print u'{}[+] {}:1433  SQLserver存在弱口令: sa  {}{}'.format(G, ip, pwd, W)
					break
			except Exception as e:
				pass
			finally:
				s.close()

	def oracle(self, ip):
		for i in range(1, len(oracle_user)):
			try:
				user = oracle_user[i]
				pwd  = oracle_pass_default[i]
				conn = cx_Oracle.connect(user, pwd, ip+':1521/orcl')
				print u'{}[+] {}:1521  Oracle存在弱口令: {} {}{}'.format(G, ip, user, pwd, W)
				conn.close()
			except Exception as e:
				pass
		for pwd in passwd:
			try:
				pwd = pwd.replace('{user}', 'sys')
				conn = cx_Oracle.connect('sys', pwd, ip+':1521/orcl')
				print u'{}[+] {}:1521  Oracle存在弱口令: sys {}{}'.format(G, ip, pwd, W)
				conn.close()
				break
			except Exception as e:
				pass

	def postgresql(self, ip):
		for pwd in passwd:
			try:
				pwd = pwd.replace('{user}', 'postgres')
				conn = psycopg2.connect(host=ip, port=5432, user='postgres', password=pwd)
				print u'{} [+] {}:5432  Postgresql存在弱口令: postgres  {}{}'.format(G, ip, pwd, W)
				conn.close()
				break
			except Exception as e:
				pass

	def redis(self, ip):
		try:
			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
			s.connect((ip, 6379))
			s.send('INFO\r\n')
			if 'redis_version' in s.recv(1024):
				print u'{}[+] {}:6379  Redis存在未授权访问{}'.format(G, ip, W)
			else:
				for pwd in passwd:
					try:
						pwd = pwd.replace('{user}', 'admin')
						s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
						s.connect((ip, 6379))
						s.send('AUTH {}\r\n'.format(pwd))
						if '+OK' in s.recv(1024):
							print u'{}[+] {}:6379  Redis存在弱口令: {}{}'.format(G, ip, pwd, W)
							break
					except Exception as e:
						pass
					finally:
						s.close()
		except Exception as e:
			pass
		finally:
			s.close()

	def mongodb(self, ip):
		try:
			conn = pymongo.MongoClient(ip, 27017)
			dbname = conn.database_names()
			print u'{}[+] {}:27017  MongoDB存在未授权访问{}'.format(G, ip, W)
		except Exception as e:
			pass
		finally:
			conn.close()

	def memcached(self, ip):
		try:
			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
			s.connect((ip, 11211))
			s.send('stats\r\n')
			if 'version' in s.recv(1024):
				print u'{}[+] {}:11211  Memcached存在未授权访问{}'.format(G, ip, W)
		except Exception as e:
			pass
		finally:
			s.close()

	def elasticsearch(self, ip):
		try:
			url = 'http://' + ip +':9200/_cat'
			r = requests.get(url, timeout=5)
			if '/_cat/master' in r.content:
				print u'{}[+] {}:9200  Elasticsearch存在未授权访问{}'.format(G, ip, W)
		except Exception as e:
			pass