爆破带有验证码认证的请求
- 本地ocr ddddocr
- 多线程
- 支持payload自定义二次处理(插件)2022.06.10更新
- 支持用id检查验证码的类型 2022.06.13更新
- 拉取和配置环境
git clone https://github.com/AbelChe/BlastWithCaptcha.git cd BlastWithCaptcha pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple- 请求文件
以账号密码登录认证为例
- blast.txt
从burpsuite等工具中复制登录的请求包到blast.txt
在get或post参数中标记需要爆破的参数位置,如下所示,爆破username password 以及验证码 validCode
使用$<index>$标记,注意这里需要按照index的顺序设置config.yaml字典列表的顺序
设置字典列表时,验证码位置忽略顺延即可
这里1 2 3位置的对应关系:1、2对应config.yml的target.WORDDICT_LIST,3对应target.CAPTCHA_INDEX
POST /api/login HTTP/1.1 Host: example.com.test Cookie: SESSION=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Content-Length: 61 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102" Accept: application/json, text/plain, */* Content-Type: application/json;charset=UTF-8 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Sec-Ch-Ua-Platform: "macOS" Origin: https://example.com.test Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://example.com.test/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close {"username":"$<1>$","password":"$<2>$","validCode":"$<3>$"} - captcha.txt
直接复制burpsuite中请求验证码的数据包即可
GET /captcha.jpg HTTP/1.1 Host: example.com.test Cookie: SESSION=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Sec-Ch-Ua-Platform: "macOS" Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://example.com.test/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close 另外,无需考虑blast.txt和captcha.txt的cookie对应关系,程序会自动生成新回话
- 配置
配置文件config.yml
system: PROXY: # 上行代理 例如 127.0.0.1:8080 REQUEST_RETRIES: 5 # requests 的重试 ONCETIME_THREAD_POOL_SIZE: 1 # 并发数 THREAD_POOL_SIZE: 10 # 线程池最大线程数 TRYAGAIN_TIMES: 3 # 验证码识别失败重试次数 USERAGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 #自定义user-agent LFLAG: '$<' # 左标志符号 RFLAG: '>$' # 右标志符号 SSL_VERIFY: FALSE # requests verify配置,默认即可 ocr: CAPTCHA_REGEX: '.*(\w{4})' # 对ocr识别的结果进行提取 例如 .*(\w{4}) .*(\d{4}) (.*?) ...... CAPTCHA_REGEX_GETVALUE_INDEX: 1 # 搭配CAPTCHA_REGEX使用,获取其正则表达式结果位置,从1开始 target: BLAST: blast.txt # 爆破的请求文本文件,默认即可 CAPTCHA: captcha.txt # 验证码请求文本文件,默认即可 CAPTCHA_LENGTH: 4 # 验证码位数,用于鉴别ocr识别结果准确与否 例如4 6...... 设置为0的话则为不验证验证码位数 CAPTCHA_DATATYPE: CUSTOM # 验证码返回数据类型,可选择 原始图片:RAW base64编码:BASE64 自定义获取数据:CUSTOM CAPTCHA_CUSTOM_GETFLAG: 'code"\:"(.*?)"' # 搭配CAPTCHA_DATATYPE值为CUSTOM使用,正则表达式提取数据 CAPTCHA_ID_INDEX: 4 # 验证码id位置,标志位从1开始 CAPTCHA_ID_GETFLAG: '"codeId"\:"(.*?)"' # 提取验证码id的正则表达式 CAPTCHA_INDEX: 3 # 验证码的位置,标志位从1开始 WORDDICT_LIST: # 字典设置,需要注意顺序与BLAST文件中标记的顺序对应 - file: /Users/AbelChe/SecTools/worddicts/fuzzDicts/userNameDict/top500.txt # 字典文件位置 plugin: # payload插件配置 数组格式 留空即为使用字典原始数据 - ['upper'] - file: /Users/AbelChe/SecTools/worddicts/Blasting_dictionary/top100password.txt # 字典文件位置 plugin: # payload插件配置 数组格式 - ['md5'] # 格式为[插件名称(与plugins目录下文件名称对应), 参数1, 参数2, ......] 参数要与插件代码中的args=[]对应, 映射关系为 args=[参数1, 参数2, ......] - ['suffix', 'xxxxxxxxxx'] SSL: False # 使用https与否 CAPTCHA_ERROR_FLAG: # 判断验证码错误的文本标志,正则表达式 - 验证码错误 - 请输入正确验证码 - 验证码异常 CAPTCHA_ERROR_CODE: # 判断验证码错误的状态码 - 500 - 502 - 403 LOGIN_ERROR_FLAG: # 判断认证失败的标志,正则表达式 - 账号不存在或密码错误 LOGIN_ERROR_CODE: # 判断认证失败的状态码 LOGIN_SUCCESS_FLAG: # 判断登录成功的文本标志,正则表达式 - 登录成功 LOGIN_SUCCESS_CODE: # 判断登录成功的状态码 关于插件:
类似burp爆破的payload processing,可以自定义,使用方法见上方target.WORDDICT_LIST的解释,插件目录为plugins/
自定义插件:
如下代码为添加前缀(如果你写过sqlmap tamper插件,那你也应该会写这个):
class PayloadProcessor: # 类名称不要更改 name = __name__ # 不用修改 description = '添加前缀' # 插件描述 def __init__(self, payload, args=[]): # 不用修改 self.payload = payload # 不用修改 self.args = args # 不用修改 从config.yml的target.WORDDICT_LIST[1].get('plugin')[1]传进来的, 故这里args值为['XXXXXX'] def __str__(self): # 不用修改 return self.name # 不用修改 def genterPatload(self): # 不用修改 #>>>>>>>>>>>>自定义代码段>>>>>>>>>>>>> try: # return 返回payload字符串即可 return self.args[0] + self.payload except Exception as e: print(e) #<<<<<<<<<<<<自定义代码段<<<<<<<<<<<<<- 启动
需要python>=3.7
python BlastWithCaptcha.py- 结果
如果有爆破成功的,会保存到BlastWithCaptchaResult.txt中
参考使用方法-初始
以如下数据包为例:
- captcha.txt
POST /captcha HTTP/1.1 Host: example.test.com Content-Length: 2 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Content-Type: application/json Accept: */* Origin: http://example.test.com Referer: http://example.test.com/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close {} 返回内容:
HTTP/1.1 200 Server: nginx/1.21.4 Date: Mon, 13 Jun 2022 03:38:54 GMT Content-Type: application/json Connection: close Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: * Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXX; Path=/; HttpOnly Content-Length: 1186 {"code":200,"msg":"成功","data":{"codeId":"20ebd4da6fbf43e5a12c0ffdfb04049c","code":"iVBORw0KGgoAAAANSUhEUgAAAMgAAABkCAIAAABM5OhcAAAC/UlEQVR42u3csW1UQRAGYHdD4giJjCZIEQ3QgGNESAuERAROCKjBBSACeqACEiydZCEffre3t/M8s/tJf7zS3n2adzs7967uftxMkxfXL5/KTNsskSuwBCywwAILLLAELLDA2kXMziEGLLDAAgsssAQssMACCyywRB8LCLDAAmuffLj90xiwwBqG6ThggTXSE1hgRZECC6woVWCBFaIKLLBCVIEFVk8roWUpsFaHNcSTBilY58FarfN+/e5tdJaAFaQKLLBCVIEFFlhggQVWCVhxqsACCyywwAILrJlgaZCCBRZYYIFVCNbrN6+2AxZYIz01CgMLrE5P27zAAmuAqmNeYC0NayCpR7bA2nXOONVocoSqB1tgLQorTtUhYK0I65LjHlhghTSoGtcBay1Yo1SdXA2s7LA2bA2HNXBBsArDOtfWcFUby4KVvY91d+qlkkNgDT9gglUeVqOtIFVPLQ5WAVhDbIEFVg+sbWEbqoKa+GDNBuu/iYZ1bCvz6DpYY2xtHwafHVYhZHPC6rZVCFZyYdPC6rN1UlVCWDl5zQyrg1ddWNl4zQ+rnVfLczA5rDy2loD1+9fHf9MHa+d5rOq8VqlYGQb6uke7KtoCqwCsbmRggXXerVF+W2CVhNXOCyyweu6509oCqzastLbACp8a3SFggfU8tsACa5KiBdYksLIVLbDAAoutOrbAAgsssMCaEpamwyqwvn75dB9FC6yQijWWV+miBdb4R+GB1+XCwAIrSlhdW2DF/nj/+f3bfbp5RcwggDXPqfDA6yCsiq0LlwVr13bDg7CI8azhJ4Y57qHX6mOdyytuOm9jfXeFVRuk7QUsYv4zrgSClaXz3iIs/2iyeay8VzqpeJkgnfCuMIMtM+9rwdqN1wSqwMrFK6JWgVUJ1kBel3zx/gk9J6whDdVuBF4KsgqssVXnEk9ggXUT8da1Fd+PJTvAyrAvsGaDlWRfYE0FK8++wJoEVrZ9gVWeV84dgVXSWf4tgCVgSV1Y7z/fbsTnJY35C6jt8+lW0RYQAAAAAElFTkSuQmCC"}} - blast.txt
POST /login HTTP/1.1 Host: example.test.com Content-Length: 114 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Content-Type: application/json Accept: */* Origin: http://example.test.com Referer: http://example.test.com/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close {"user":"$<1>$","passwd":"$<2>$","code":"$<3>$","codeId":"$<4>$"} - config.yml
config.yml对应部分如下
target: CAPTCHA_LENGTH: 4 # 验证码位数 CAPTCHA_DATATYPE: CUSTOM # 验证码返回数据类型,可选择 原始图片:RAW base64编码:BASE64 自定义获取数据:CUSTOM CAPTCHA_CUSTOM_GETFLAG: 'code"\:"(.*?)"' # 提取验证码base64内容 CAPTCHA_ID_INDEX: 4 # 验证码id位置,$<4>$ CAPTCHA_ID_GETFLAG: '"codeId"\:"(.*?)"' # 提取验证码id的正则表达式 CAPTCHA_INDEX: 3 # 验证码的位置,$<3>$
- 插件(类似burp爆破的payload processing)2022.06.10
- 带有id的验证码 2022.06.13
- GUI