目錄

• 腳本源碼
• 用法
• 效果及示例

版本：Grey Hack v0.7.3618 - Alpha

---

腳本源碼

if params.len != 2 or params[0] == "-h" or params[0] == "--help" then exit("<b>Usage: "+program_path.split("/")[-1]+" [ip_address] [LAN_address]</b>") metaxploit = include_lib("/lib/metaxploit.so") if not metaxploit thenmetaxploit = include_lib(current_path + "/metaxploit.so") end if if not metaxploit then exit("Error: Can't find metaxploit library in the /lib path or the current folder")cryptools = include_lib("/lib/crypto.so") if not cryptools thencryptools = include_lib(current_path + "/crypto.so") end if if not cryptools then exit("Error: Can't find crypto.so library in the /lib path or the current folder")Flag_Bank_Mail = 0 Flag_User_Key = 0 Flag_User_Ask_Key = 0 Bank_Key = 0 Mail_Key = 0 User_Key = 0GetPassword = function(userPass)if userPass.len != 2 then returnpassword = cryptools.decipher(userPass[1])return password end functionAccessPasswdFile = function(result)print("Accesing to password file...")files = result.get_filesfor file in filesif file.name == "passwd" thenif not file.has_permission("r") then Flag_User_Key = 0return end if listUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forglobals.Flag_User_Key = 1if globals.Flag_Bank_Mail == 1 and globals.Flag_User_Key == 1 then exit("Done...")end ifend forprint("Error: /etc/passwd file not found. Program aborted"); end functionbankFound = false mailFound = falseAccessHomeFile = function(homeFolder)print("Accesing to Mail.txt files...\nSearching users...")folders = homeFolder.get_foldersfor user in foldersprint("User: " + user.name +" found...")subFolders = user.get_foldersfor subFolder in subFoldersif subFolder.name == "Config" thenfiles = subFolder.get_filesfor file in filesif file.name == "Bank.txt" thenglobals.Flag_Bank_Mail = 1if not file.has_permission("r") then print("failed. Can't access to file contents. Permission denied")if typeof(globals.Bank_Key) != "string" then globals.Bank_Key = user_input("Read Bank Password? [Y/N]\n")if globals.Bank_Key == "Y" or globals.Bank_Key == "y" or globals.Bank_Key == "Yes" or globals.Bank_Key == "yes" thenlistUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forend ifglobals.bankFound = trueelse if file.name == "Mail.txt" thenglobals.Flag_Bank_Mail = 1if not file.has_permission("r") then print("failed. Can't access to file contents. Permission denied")if typeof(globals.Mail_Key) != "string" then globals.Mail_Key = user_input("Read Mail Password? [Y/N]\n")if globals.Mail_Key == "Y" or globals.Mail_Key == "y" or globals.Mail_Key == "Yes" or globals.Mail_Key == "yes" thenlistUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forend ifglobals.mailFound = trueend ifend forend ifend forend forif not globals.mailFound then print("Mail file not found.")if not globals.bankFound then print("Bank file not found.")if folders.len == 0 then print("No users found. Program aborted") end functionaddress = params[0] net_session = metaxploit.net_use( address ) if not net_session then exit("Error: can't connect to net session") libKernel = net_session.dump_libprint("Founded " + libKernel.lib_name + " "+ libKernel.version)if not libKernel then exit("Error: TargetLib not found.")lanIp = params[1]exploits = metaxploit.scan(libKernel) for exploit in exploitsprint(exploit)result_lists = metaxploit.scan_address(libKernel, exploit).split("Unsafe check: ")[1:]for result_list in result_liststarget_str = result_list.split(".")[0]target_key = target_str.split(" ")[-1]result = libKernel.overflow(exploit, target_key[3:-4], lanIp)if(typeof(result) == "computer") thenif Flag_Bank_Mail == 0 thenhomeFolder = result.File("/home")if not homeFolder then print("Error: /home folder not found")elseuserFolders = homeFolder.get_foldersfounded_bank = falsefounded_mail = falseBank_Key = user_input("Read Banks Password? [Y/N]\n")if Bank_Key == "Y" or Bank_Key == "y" or Bank_Key == "Yes" or Bank_Key == "yes" thenfor userFolder in userFoldersbankFile = result.File("/home/" + userFolder.name + "/Config/Bank.txt")if not bankFile then continueif not bankFile.has_permission("r") then print("Error: can't read file contents. Permission deniend")breakend ifuserPass = bankFile.get_content.split(":")print("Deciphering bank password for user: " + userFolder.name)password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("Bank account: <b>" + userPass[0] +"</b>\nBank Password: <b>" + password + "</b>")founded_bank = trueend ifend forelsefounded_bank = trueend ifMail_Key = user_input("Read Mails Password? [Y/N]\n")if Mail_Key == "Y" or Mail_Key == "y" or Mail_Key == "Yes" or Mail_Key == "yes" thenfor userFolder in userFoldersmailFile = result.File("/home/" + userFolder.name + "/Config/Mail.txt")if not mailFile then continueif not mailFile.has_permission("r") then print("Error: can't read file contents. Permission deniend")breakend ifuserPass = mailFile.get_content.split(":")print("Deciphering mail password for user: " + userFolder.name)password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("Mail account: <b>" + userPass[0] +"</b>\nMail Password: <b>" + password + "</b>")founded_mail = trueend ifend forelsefounded_mail = trueend ifif founded_bank and founded_mail then Flag_Bank_Mail = 1end ifend ifif Flag_User_Key == 0 then if Flag_User_Ask_Key == 0 thenUser_Key = user_input("Read User Password? [Y/N]\n")Flag_User_Ask_Key = 1 end if if User_Key == "Y" or User_Key == "y" or User_Key == "Yes" or User_Key == "yes" thenfile = result.File("/etc/passwd")if not file then exit("Error: file /etc/passwd not found")if not file.has_permission("r") then continue if file.is_binary then exit("Error: invalid /etc/passwd file found.")Flag_User_Key = 1listUsers = file.get_content.split("\n")for line in listUsersuserPass = line.split(":")password = GetPassword(userPass)if not password then print("Nothing found...")elseprint("=> Deciphering user <b>" + userPass[0] + "</b> : <b>" + password + "</b>")end ifend forelseFlag_User_Key = 1end ifend ifif Flag_Bank_Mail == 1 and Flag_User_Key == 1 then exit("Done...")end ifend ifend for end for for exploit in exploitsprint(exploit)result_lists = metaxploit.scan_address(libKernel, exploit).split("Unsafe check: ")[1:]if Flag_User_Key == 0 then for result_list in result_liststarget_str = result_list.split(".")[0]target_key = target_str.split(" ")[-1]result = libKernel.overflow(exploit, target_key[3:-4], lanIp)if (typeof(result) == "file") thenprint("Obtained access to " + result.path)if Flag_Bank_Mail != 1 then if typeof(Bank_Key) != "string" and typeof(Mail_Key) != "string" then if result.path == "/home" thenAccessHomeFile(result)elseprint("Searching home folder...")while not result.path == "/"result = result.parentend whilefolders = result.get_foldersfor folder in foldersif folder.path == "/home" thenAccessHomeFile(folder)end ifend forend ifend ifend if if typeof(User_Key) != "string" then User_Key = user_input("Read User Password? [Y/N]\n")if User_Key == "Y" or User_Key == "y" or User_Key == "Yes" or User_Key == "yes" thenif Flag_User_Key != 1 then if result.path == "/etc" thenAccessPasswdFile(result)else print("Attempting to reach /etc folder...")while result.path != "/"result = result.parentend whilefolders = result.get_foldersfor folder in foldersif folder.path == "/etc" thenAccessPasswdFile(folder)end ifend forend if end if end ifend ifend for end if end forexit("Fail...")

用法

【腳本名】 【公網IP】 【局域網IP】

效果及示例

先檢測目標端口庫版本
再嘗試遍歷攻破漏洞以獲取password
視情況不同，可能得到游客、用戶或root權限
一般情況下，游客身份可獲取用戶的Bank Password及Mail Password及登錄名
用戶及root身份可獲得root的Password及各用戶的Password及登錄名

如圖，本案例中目標IP尚未開放常見端口

總結

以上是生活随笔為你收集整理的【 Grey Hack 】万金油脚本：从路由器获取Password的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。