公司的一个渗透测试项目中发现使用了LDAP服务(389)做为用户认证的后台数据库,写了一个ldap匿名访问批量检测脚本 ldap2018.py:
#!/usr/bin/env python # encoding: utf-8 # [url]http://ldap3.readthedocs.io/tutorial.html#accessing-an-ldap-server[/url] import ldap3,os,sys,codecs from exceptions import Exception reload(sys) sys.setdefaultencoding('gbk') IpFile=file('./ldap1.txt') #IP列表 fp= codecs.open("./ldap1_success.txt","a") #成功利用后写入的文件,支持写入中文字符的方式 timeout=10 def check(host,port): try: print "[*]%s:%d" %(host,port) info='' server = ldap3.Server(host,port, get_info=ldap3.ALL, connect_timeout=timeout) conn = ldap3.Connection(server, auto_bind=True) print "[*]server=%s" %server #print "[*]conn=%s" %conn '''if len(server.info.naming_contexts) > 0: print "[*]server.info.naming_contexts=%s" %(server.info.naming_contexts) for i in server.info.naming_contexts: if "o=services" in i: naming_contexts = i.encode('utf8') info += u'%s:%d //存在ldap匿名访问漏洞: ' %(host,port) print info+' ' fp.write(info) fp.flush()''' if len(server.info.naming_contexts) > 0: #print conn.result info += u'%s:%d //存在ldap匿名访问漏洞: ' %(host,port) print info+' ' fp.write(info) fp.flush() else: info += u'%s:%d //不存在ldap匿名访问漏洞: ' %(host,port) print info+' ' except Exception, e: print "Exception:%s " %e pass if __name__ == '__main__': ip_list = [] print u''' ---------------------------------------------------------------------------------------- 程序名称:ldap匿名访问检测脚本 ldap2018.py 程序作者:pt007@vip.sina.com 程序用法: ldap1.txt里面设置需要扫描的IP地址,如:10.110.123.30:389 回车后输入下一个IP地址! python ldap2018.py ----------------------------------------------------------------------------------------- ''' ip_list=[] print "[*]ldap ip list:", while True: line = IpFile.readline() if len(line) == 0: # Zero length indicates EOF break #exit() line=line.strip() print line, ip_list.append(line) IpFile.close() print " " for i in ip_list: host,port=i.split(":") check(host,int(port)) fp.close() print "[*]Test done,please type ldap1_success.txt! "