Burpsuit中文处理及暴力破解应用
BURPSUIT目前我们在渗透测试中,经常会用到密码爆破这个功能项,常用的密码爆破的工具之一是BURPSUIT 。遇到中文用户名的时候,很多同学不清楚需要转换字符编码的操作。下面我来演示下中文用户名的密码爆破,先贴2段测试用的代码。<!-- login.html --><!DOCTYPE html><html> <head> <meta charset="utf-8" /> <title></title> </head> <body> <form action="login.php" method="post"> 账号:<input name="uname"/><br /> 密码:<input name="pwd"/><br /> <input type="submit"/> </form> </body></html><!-- login.php --><!DOCTYPE html><html> <head> <meta charset="utf-8" /> <title></title> </head> <body><?php /*接收用户输入*/ $uname = $_POST['uname']; $pwd = $_POST['pwd']; if($uname == "管理员" && $pwd == "123456"){ echo '登录成功'; } else{ echo '账号或密码错误'; }?></body></html>
登录页面https://xzfile.aliyuncs.com/media/upload/picture/20200529191144-2e16f04a-a19d-1.png抓包并发送到intruder模块https://xzfile.aliyuncs.com/media/upload/picture/20200529191212-3ee0faec-a19d-1.png选择Pitchforkhttps://xzfile.aliyuncs.com/media/upload/picture/20200529191242-50ad03a6-a19d-1.png新建一个html文件https://xzfile.aliyuncs.com/media/upload/picture/20200529191300-5b353be0-a19d-1.png用文本编辑器打开,写入”管理员”三个字https://xzfile.aliyuncs.com/media/upload/picture/20200529191323-6929a3da-a19d-1.png转换字符https://xzfile.aliyuncs.com/media/upload/picture/20200529191356-7cbceeb6-a19d-1.png转换后的“管理员”字符https://xzfile.aliyuncs.com/media/upload/picture/20200529191415-88741022-a19d-1.png将转换过的字符复制进列表https://xzfile.aliyuncs.com/media/upload/picture/20200529191431-91e3337c-a19d-1.png匹配成功!https://xzfile.aliyuncs.com/media/upload/picture/20200529191452-9e86c54e-a19d-1.png
页:
[1]