利用Python多线程来测试并发漏洞

利用Python多线程来测试并发漏洞

需求介绍#

有时候想看看Web应用在代码或者数据库层有没有加锁，比如在一些支付、兑换类的场景，通过多线程并发访问的测试方式可以得到一个结论。

步骤#

1. Burp Suite安装插件#

安装一个Copy As Python-Requests插件，提高编码效率；

2. 拦截包并拷贝发包的代码#

打开一个文本编辑器，右键粘贴出来：

Copy

import requests burp0_url = "https://baidu.com:443/s?word=test123&tn=50000021_hao_pg&ie=utf-8&sc=UWd1pgw-pA7EnHc1FMfqnHRdnHfkP163PWD3PzuW5y99U1Dznzu9m1Y1rj0zPjRYP1Ds&ssl_sample=s_108&srcqid=2890185856410820647&H123Tmp=nu" burp0_cookies = {"BAIDUID": "DE39C3557AA883A517F3717D9ED1B346:FG=1", "BIDUPSID": "DE39C3557AA883A517F3717D9ED1B346", "PSTM": "1548660573", "BD_UPN": "13314352", "H_PS_PSSID": "1431_21111_18560_28585_26350_28519", "H_PS_645EC": "0701XLkxqPa8GpBa6wBJs%2BrZyNuhMOA%2FIRfHCR7YuUcETmxXSKm0g32CT0c", "delPer": "0", "BD_CK_SAM": "1", "PSINO": "1", "BDSVRTM": "142"} burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "https://hao123.com/", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)

3. 运行Python多线程代码#

将生成的python代码粘贴到action( )函数里面即可；

Copy

import threading

import requests threads = []

def action(): burp0_url = "https://baidu.com:443/s?word=test123&tn=50000021_hao_pg&ie=utf-8&sc=UWd1pgw-pA7EnHc1FMfqnHRdnHfkP163PWD3PzuW5y99U1Dznzu9m1Y1rj0zPjRYP1Ds&ssl_sample=s_108&srcqid=2890185856410820647&H123Tmp=nu" burp0_cookies = {"BAIDUID": "DE39C3557AA883A517F3717D9ED1B346:FG=1", "BIDUPSID": "DE39C3557AA883A517F3717D9ED1B346", "PSTM": "1548660573", "BD_UPN": "13314352", "H_PS_PSSID": "1431_21111_18560_28585_26350_28519", "H_PS_645EC": "0701XLkxqPa8GpBa6wBJs%2BrZyNuhMOA%2FIRfHCR7YuUcETmxXSKm0g32CT0c", "delPer": "0", "BD_CK_SAM": "1", "PSINO": "1", "BDSVRTM": "142"} burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "https://hao123.com/", "Connection": "close", "Upgrade-Insecure-Requests": "1"} requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)

if __name__ == '__main__': print("Threading ready:")

for i in range(0,100): t = threading.Thread(target=action) t.setDaemon(True) // 开启守护进程，如果宿主进程挂了，不用执行完全部线程任务也要立即结束。

 t.start() print("Threading ran end!")

4. 确认结果#

查看领取的结果是否有超过原本的数量，如果超过原本可领的数量，那就666了。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。