a very fast brute force webshell password tool
Home Page: https://www.hackfun.org
License: GNU General Public License v3.0
Traceback (most recent call last):
File "cheetah.py", line 547, in
main()
File "cheetah.py", line 528, in main
attack_res = dict_attack(options)
File "cheetah.py", line 340, in dict_attack
if detect_web(options) == 'error':
File "cheetah.py", line 286, in detect_web
random_str = str(random.sample(string.printable, 5)).encode('hex')
LookupError: 'hex' is not a text encoding; use codecs.encode() to handle arbitrary codecs
请问打开之后闪退咋办
建议加个自动化代理功能,防止请求过多被waf封ip.
Tested it on python2
寻求一款可以自动实现扫描获取webshell,不求指定目标
已经测试了php和asp的shell,而且密码已经手工测试过,即使只将已知密码写入新的字典(只有这1条密码),也无法发现。更换get、post方式都无效。
C:\Users\Administrator\Desktop
python E:\Tool\cheetah-webshell\cheetah.py -u http://192.168.36.202/xm.php
______ _____ ______
__________ /_ _____ _____ __ /_______ ____ /_
_ / __ _ _ _ _ _ / __ \ __ __
/ / _ / / // // // / / /_/ / _ / / /
_/ / / /_/ _/ _/ _/ _/ / / //
// //
a very fast brute force webshell password tool.
[11:18:25] [INFO] the cheetah start execution
[11:18:25] [HINT] using POST request mode
[11:18:25] [HINT] setting request interval seconds 0
[11:18:25] [HINT] using dictionary-based password attack
[11:18:25] [INFO] cracking password of http://192.168.36.202/xm.php
[11:18:25] [WARN] not specify the web server or shell type
[11:18:25] [INFO] detecting server info of http://192.168.36.202/xm.php
Traceback (most recent call last):
File "E:\Tool\cheetah-webshell\cheetah.py", line 545, in
main()
File "E:\Tool\cheetah-webshell\cheetah.py", line 526, in main
attack_res = dict_attack(options)
File "E:\Tool\cheetah-webshell\cheetah.py", line 338, in dict_attack
if detect_web(options) == 'error':
File "E:\Tool\cheetah-webshell\cheetah.py", line 246, in detect_web
header = gen_random_header(options)
File "E:\Tool\cheetah-webshell\cheetah.py", line 127, in gen_random_header
with open('data/user-agent.list') as agent_file:
IOError: [Errno 2] No such file or directory: 'data/user-agent.list'
<?php assert($_POST[admin]);
assert 类型无法成功爆破
是不是加一个post传输参数的大门爆破呢!比如某大马m=admin,admin是密码会变话,admin就可以设置成字典,但是m,m可以有用户,或者自动获取m
对于https的网站可以使用cheetah进行爆破吗?
rt
[ERROR] Header value 1 must be of type str or bytes, not <class 'int'>
解决方案:
cheetah.py 138行中的 1 加个引号 :
'Upgrade-Insecure-Requests': '1'
[1;31m[14:41:45] [ERROR] HTTPConnectionPool(host='www.xx.ca', port=80): Read t
imed out. (read timeout=10)[0m
[1;32m[14:41:45] [INFO] the cheetah end execution[0m
正在 Ping xx.ca [168...80] 具有 32 字节的数据:
来自 168...80 的回复: 字节=32 时间=244ms TTL=110
来自 168...80 的回复: 字节=32 时间=243ms TTL=110
来自 168...80 的回复: 字节=32 时间=243ms TTL=110
来自 168...80 的回复: 字节=32 时间=244ms TTL=110
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.