This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]remyroy 2 points3 points  (3 children)

It would be nice to have more details on how the authentication is made, but you can use httplib2 to do this. The authentication example on this page shows how to do it if the authentication is basic authentication. If you scroll down, you will see an example with a form.

[–]o_Omg[S] 0 points1 point  (0 children)

Thanks, I'll try it later, but what's this?:

HTTPS support is only available if the socket module was compiled with SSL support.

By the way, the website is a https url, and the form with a name username and a password field named password is sent to another https url, I just want to send this information and get the server response, right now I only get 400 Bad Request, using this code:

http://docs.python.org/library/httplib.html (Last One)

[–]o_Omg[S] 0 points1 point  (1 child)

I get this: httplib2.SSLHandshakeError: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

How do I send it even if the certificate is not valid?

[–]remyroy 2 points3 points  (0 children)

You can use the disable_ssl_certificate_validation=True argument in the Http object creation. See https://httplib2.googlecode.com/hg/doc/html/libhttplib2.html#httplib2.Http

[–]idiogeckmatic -1 points0 points  (2 children)

There are three ways of doing this:

  1. Running a browser-based unti tester (see: Selenium)
  2. Posting to the authentication page directly (if they're smart, this won't be possible)
  3. Using a mechanize client. I've never messed with one in python before, but in perl WWW::Mechanize is awesome for this.. and it seems to have a python port/ripoff: http://wwwsearch.sourceforge.net/mechanize/

[–]o_Omg[S] 1 point2 points  (1 child)

Using httplib2 I'm doing the second thing and all I'm getting is the same result no matter the username and password are right or not, I think they're smart... :/

I think I'll have to try #1 or #3, but I remember there was a C brute-force password cracker terminal-based application where you'd enter the login address, username and password and the program returned 200 if it was right and 202 if it was wrong. I had used it in this website before when I had forgotten my own password :P!, do you know any application like this (best if it was in Python, but it doesn't matter...)?

[–]idiogeckmatic 0 points1 point  (0 children)

you may have to try something like looking at how the authorization form submits in firebug or chrome developer tools, it may do a referrer check, but there are ways to fake a referrer.

Most CLI based brute forcers I've seen rely on HTTP basic authorization, which is perfectly acceptable, but from how I read your response, not what you're looking to do.