Lonely as the brain over the snow, so to write a blog to share a bit. #虽然上一篇博客我还没写完
SVN's weak password, it looks very complex, but in fact very simple AH = = Although unlike Pymssql/mymssql, Python provides a very useful package, but if the understanding of the principle is very simple ~ ~
0x00 Basic Cognition
The first thing to know is the authentication method as shown:
This involves the HTTP authentication method, the concrete can refer to http://blog.csdn.net/samlei/article/details/5485305
SVN uses the simplest basic Auth. Basic Auth is widely used, such as the phpMyAdmin HTTP authentication method, the Nodejs Express framework of the Basic-auth plug-in and so on.
0x10 determine whether the current request requires authentication
If the current request requires authentication, in the browser, the window will pop up as shown, and if so, how to judge in the script? Can be verified by the HTTP response header:
Import= requests.get ('https://test.com/myspace', verify=False) Print Res.headers
You can see that the following field is included in the header:
' www-authenticate ' ' Basic realm= "Subversion" '
0x20 How to certify
There are two methods for Basic-auth:
1. Add authorization to the HTTP header
" Base64 encrypted string for Basic user name and password "
2. Add a user name and password to the URL
http://User:[email protected]
0X30 the authentication module in Python requests
In writing this blog, check the information process, found the artifact requests unexpectedly contains the authentication module. #虽然0x20中提到的认证方式也很简单.
Import Requests from Import = requests.get ('https://httpbin.org/hidden-basic-auth/user/passwd', auth= Httpbasicauth ('user'passwd')# r = requests.get (' https://httpbin.org/hidden-basic-auth/user/passwd ', auth= (' user ', ' passwd ')) # Shorthand Print(R.json ())
0X40 Final Code
defsvn_busrt (self, URL, user, password):Try: Res= Requests.get ('https://'+user+':'+password+'@'+url, Verify=false, timeout=30) exceptException, E:PrintFore.red +"Connection Error"Self.count+ = 1return ifRes.status_code = = 200: PrintFore.green +"[+] success!%s\t%s:%s"%(URL, user, password) result_list.append ([user, password])
SVN weak password scan (Python)