Home > Blockchain >  Brute force guess the pin website with python
Brute force guess the pin website with python

Time:08-13

So I have this project im working for that wants me to use the 'requests' library and via the requests library send a bunch of numbers (range(1000, 9999)) and see which one is the correct one now I have two problems let me show the code first

import requests


def brute_force(guess):

  s = requests.Session()
  payload = {'guess' : guess}
  res = s.post('https://www.guessthepin.com/prg.php', data=payload)
  print(str(res.content)) 
  

brute_force(3201)

Now my first problem is that I couldnt find a way to iterate through 1000 to 10000 and put it in 'guess'

And the second problem is that even if I found a way to brute force it it would be soo hard to know if ive found the right number because whenever I run the script the output is

b'<!DOCTYPE html>\n<html lang="en" >\n<head>\n<script async src="https://www.googletagmanager.com/gtag/js?id=UA-254627-27"></script>\n<script>\nwindow.dataLayer = window.dataLayer || [];\nfunction gtag(){dataLayer.push(arguments);}\ngtag(\'js\', new Date());\ngtag(\'config\', \'UA-254627-27\');\n</script>\n<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8073186300309643" crossorigin="anonymous"></script>\n<meta charset="UTF-8">\n<meta name="viewport" content="width=device-width">\n<title>Guess the 
PIN</title>\n<meta name="description" content="How long does it take the internet to guess a randomly-selected, four-digit PIN? Try for yourself!">\n<meta property="og:title" content="Guess the PIN">\n<meta property="og:description" content="How long does it take the internet to guess a randomly-selected, four-digit PIN? Try for yourself!">\n<meta name="twitter:card" content="How long does it take the internet to guess 
a randomly-selected, four-digit PIN? Try for yourself!">\n<meta property="og:url" content="https://www.guessthepin.com">\n<link rel="canonical" href="https://www.guessthepin.com">\n<meta property="og:image" content="https://www.guessthepin.com/android-chrome-512x512.png">\n<meta property="og:image:alt" content="Brand colors for the website www.guessthepin.com.">\n<meta property="og:locale" content="en_US">\n<meta property="og:type" content="website">\n<link rel="preconnect" href="https://fonts.googleapis.com">\n<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>\n<link href="https://fonts.googleapis.com/css2?family=Alegreya:ital,wght@0,400;0,600;1,400&family=Questrial&display=swap" rel="stylesheet">\n<style>\n/* Variables */\n:root {\n\t--black: 34, 34, 34;\n\t--blue: 66, 107, 145;\n\t--red: 188, 61, 30;\n\t--tan-dark: 241, 236, 227;\n\t--tan-light: 249, 247, 243;\n\t--white: 255, 255, 255;\n\t--yellow: 230, 198, 58;\n\t\n}\nbody {\n\tbackground: rgb(var(--tan-light));\n\tcolor: rgb(var(--black));\n\tfont-family: \'Alegreya\', Serif;\n\tfont-size: 20px;\n\tfont-weight: 400;\n\tmargin: 0;\n\tpadding: 0;\n\ttext-rendering: optimizeLegibility;\n}\nh1 {\n\tfont-family: \'Questrial\', Sans-Serif;\n\tfont-size: 48px;\n\tfont-weight: 400;\n\tmargin: 0 0 20px;\n\tpadding: 0;\n\ttext-align: center;\n\ttext-transform: uppercase;\n}\nh1 a {\n\tfont-weight: 400;\n}\nsup {\n\tline-height: 0;\n\tposition: relative;\n\ttext-transform: none;\n\tvertical-align: baseline;\n}\nsup.article {\n\tfont-family: \'Alegreya\', Serif;\n\tfont-size: 24px;\n\tfont-style: italic;\n\tfont-weight: 400;\n\ttop: -7px;\n}\nsup.trademark {\n\tfont-size: 20px;\n\ttop: -19px;\n}\nh2 {\n\tfont-weight: 600;\n\tfont-size: 32px;\n\tmargin: 20px 0 0 0;\n\ttext-align: center;\n}\n#winner h2 {\n\tcolor: rgb(var(--red));\n\tfont-family: \'Questrial\', Sans-Serif;\n\tfont-size: 48px;\n\tfont-weight: 400;\n\tmargin: 15px 0;\n\tpadding: 0;\n\ttext-align: center;\n}\nh3 {\n\tfont-size: 20px;\n\tline-height: 24px;\n\tfont-weight: 600;\n\tfont-variant-numeric: lining-nums;\n\tmargin: 0;\n\tpadding: 0;\n}\nh3.blog {\n\tfont-size: 24px;\n\tline-height: 26px;\n}\n#winner h3 {\n\tfont-size: 24px;\n\ttext-align: center;\n}\np {\n\tline-height: 24px;\n\tmargin: 0 0 20px 0;\n\tpadding: 0;\n}\na {\n\tcolor: rgb(var(--black));\n\tfont-weight: 600;\n\ttext-decoration: none;\n}\na.alt {\n\tcolor: rgb(var(--blue));\n}\nstrong {\n\tcolor: rgb(var(--red));\n\tfont-weight: 600;\n}\nstrong.alt {\n\tcolor: rgb(var(--black));\n}\n.pin {\n\tfont-feature-settings: "tnum";\n}\n#container {\n\tmargin: 15px auto 20px;\n\tposition: relative;\n\twidth: 300px;\n}\nform {\n\tmargin: 0;\n\tpadding: 0;\n}\nlabel {\n\tdisplay: block;\n\tfont-size: 20px;\n\tfont-weight: 600;\n\tmargin: -4px 0 8px 0;\n\tpadding: 0;\n}\ninput {\n\tborder: 2px solid rgb(var(--blue));\n\tborder-radius: 6px;\n\tfont-family: \'Questrial\', Sans-Serif;\n\tfont-size: 48px;\n\theight: 71px;\n\tmargin: 0 6px 20px 0;\n\tpadding: 0 10px;\n\twidth: 195px;\n}\ninput:focus {\n    outline-width: 0;\n}\ninput::-webkit-outer-spin-button, input::-webkit-inner-spin-button {\n\t-webkit-appearance: none;\n\tmargin: 0;\n}\ninput[type=number] {\n\t-moz-appearance: textfield;\n}\ninput[type=submit] {\n\t-webkit-appearance: none;\n\tbackground: rgb(var(--blue));\n\tcolor: rgb(var(--white));\n\tcursor: pointer;\n\tfont-family: \'Alegreya\', Serif;\n\tfont-size: 22px;\n\tfont-weight: 600;\n\theight: 75px;\n\tmargin: 0 0 20px 0;\n\tpadding: 0;\n\twidth: 75px;\n}\n.ad {\n\theight: 250px;\n\tmargin: 0 0 20px 0;\n\ttext-align: center;\n\twidth: 300px;\n}\nsvg {\n\tposition: absolute;\n\ttop: 482px;\n}\ntable {\n\tborder-collapse: collapse;\n\tmargin: 0 0 20px 0;\n\twidth: 100%;\n}\nth {\n\tborder-bottom: 1px solid rgb(var(--black));\n\ttext-align: left;\n}\nth, td {\n\twidth: 33%;\n}\nth.tac-l, td.tac-l {\n\tborder-left: 1px solid rgb(var(--black));\n\twidth: 9%;\n}\nth.tac-r, td.tac-r {\n\tborder-right: 1px solid rgb(var(--black));\n\twidth: 9%;\n}\nth.tac, td.tac {\n\twidth: 15%;\n\ttext-align: right;\n}\nth.tar, td.tar {\n\ttext-align: right;\n}\n.tab {\n\tfont-feature-settings: "tnum";\n\tfont-variant-numeric: lining-nums;\n}\nhr {\n\tborder-top: 1px solid rgb(var(--black));\n\tmargin-top: 0;\n\tmargin-bottom: 20px;\n\tpadding: 0;\n}\n#footer p {\n\tline-height: 22px;\n\ttext-align: center;\n}\n#footer p.first {\n\tword-spacing: 5px;\n\tmargin: 0;\n}\n#footer a.alt {\n\tcolor: rgb(var(--black));\n\tfont-weight: 400;\n}\n#footer a.alt:hover {\n\tcolor: rgb(var(--blue));\n}\n/* GDPR Styles */\n#GDPR {\n\tbackground-color: rgba(var(--yellow), 0.6);\n\tpadding: 15px;\n\tmargin: 0 0 20px 0;\n}\n#GDPR p {\n\tline-height: 22px;\n\tmargin: 0;\n}\n#GDPR input[type=submit] {\n\t-webkit-appearance: none;\n\tbackground: rgb(var(--blue));\n\tcolor: rgb(var(--white));\n\tfont-size: 20px;\n\theight: 48px;\n\tmargin: 0;\n\tpadding: 0;\n\twidth: 48px;\n}\n.left {\n\twidth: 80%;\n}\n.right {\n\ttext-align: right;\n\twidth: 20%;\n}\n/* Menu Styles */\n#menu {\n\tmargin: 0 0 20px 0;\n}\n.spacer-l, .spacer-r  {\n\tborder-bottom: 1px solid rgb(var(--black));\n\tfloat: left;\n\theight: 45px;\n\twidth: 3.3%;\n}\n.spacer-r {\n\tmargin-left: -1px;\n}\n.item {\n\tbackground: rgb(var(--tan-dark));\n\tborder: 1px solid rgb(var(--black));\n\tborder-top-left-radius: 6px;\n\tborder-top-right-radius: 6px;\n\theight: 44px;\n\tfloat: left;\n\tmargin-left: -1px;\n\twidth: 23%;\n}\n.item h2 {\n\tfont-family: \'Alegreya\', Serif;\n\tfont-size: 20px;\n\tfont-weight: 600;\n\tmargin: 8px 0;\n\ttext-transform: none;\n}\n.on {\n\tbackground: rgb(var(--tan-light));\n\tborder-bottom: none;\n\tcolor: rgb(var(--black));\n}\n/* Misc Styles */\n.float {\n\tfloat: left;\n}\n.clear {\n\tclear: both;\n}\n.mobile {\n\tdisplay: block;\n}\n.desktop {\n\tdisplay: none;\n}\n\n@media only screen and (min-width: 360px) {\n\th1 {\n\t\theight: 55px;\n\t\tfont-size: 54px;\n\t}\n\th2 {\n\t\tfont-size: 32px;\n\t}\n\tsup.article {\n\t\tfont-size: 26px;\n\t\ttop: -8px;\n\t}\n\tsup.trademark {\n\t\tfont-size: 22px;\n\t\ttop: -22px;\n\t}\n\tinput {\n\t\twidth: 208px;\n\t}\n\tinput[type=submit] {\n\t\twidth: 98px;\n\t}\n\t#container {\n\t\twidth: 336px;\n\t}\n\t.ad {\n\t\theight: 280px;\n\t\twidth: 336px;\n\t}\n\t.mobile {\n\t\tdisplay: none;\n\t}\n\t.desktop {\n\t\tdisplay: inline;\n\t}\n}\n@media only screen and (min-width: 516px) {\n\tbody {\n\t\tfont-size: 22px;\n\t}\n\th1 {\n\t\theight: 55px;\n\t\tfont-size: 72px;\n\t\tmargin-bottom: 34px;\n\t}\n\tsup.article {\n\t\tfont-size: 32px;\n\t    top: -9px;\n\t}\n\tsup.trademark {\n\t\tfont-size: 26px;\n\t\ttop: -31px;\n\t}\n\t.item h2 {\n\t\tfont-size: 22px;\n\t}\n\th3 {\n\t\tfont-size: 22px;\n\t\tline-height: 25px;\n\t}\n\th3.blog {\n\t\tfont-size: 26px;\n\t\tline-height: 28px;\n\t}\n\tp {\n\t\tline-height: 26px;\n\t\tmargin: 0 0 22px 0;\n\t}\n\t#menu {\n\t    margin: 0 0 22px 0;\n\t}\n\t#container {\n\t\twidth: 480px;\n\t}\n\tlabel {\n\t\tfont-size: 22px;\n\t}\n\tinput {\n\t\tmargin-bottom: 22px;\n\t\twidth: 313px;\n\t}\n\tinput[type=submit] 
{\n\t\tfont-size: 24px;\n\t\twidth: 136px;\n\t}\n\t#GDPR input[type=submit] {\n\t    font-size: 24px;\n\t}\n\ttable {\n\t\tmargin: 0 0 22px 0;\n\t}\n\t.ad {\n\t\tmargin: 0 0 22px 0;\n\t\tmin-height: 300px;\n\t\twidth: 480px;\n\t}\n\t#footer p {\n\t\tfont-size: 20px;\n\t}\n}\n@media only screen and (min-width: 763px) {\n\t#GDPR p.left {\n\t\tmargin-top: 13px;\n\t}\n}\n</style><link rel="apple-touch-icon" sizes="180x180" 
href="/apple-touch-icon.png">\n<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">\n<link rel="icon" type="image/png" 
sizes="16x16" href="/favicon-16x16.png">\n<link rel="manifest" href="/site.webmanifest">\n</head>\n<body>\n<div id="container">\n\t<h1><a href="/">Guess <sup >the</sup> PIN<sup >\xe2\x84\xa2</sup></a></h1>\n\t\t<nav id="menu">\n\t\t<div ></div>\n\t\t<div ><h2>Home</h2></div>\n\t\t<a href="/statistics"><div ><h2>Stats</h2></div></a>\n\t\t<a href="/blog"><div ><h2>Blog</h2></div></a>\n\t\t<a href="/faq"><div ><h2>FAQ</h2></div></a>\n\t\t<div ></div>\n\t\t<div ></div>\n\t</nav>\n\t\t\t\t<form method="post" action="/prg.php" name="">\n\t<p>The current PIN has been incorrectly guessed <strong>734&nbsp;times</strong> in the last <strong>1&nbsp;hour</strong> and <strong>2&nbsp;minutes</strong>.</p>\t\t<script>\n\t\t\t\n\t\t// Start on First Input Field, But Only on Desktop Screens\n\t\t\twindow.onload = function() {\n\t\t\tif (window.innerWidth > 414) {\ode = (e.which) ? e.which : e.keyCode;\n\t\t\tif (code > 31 && (code < 48 || code > 57)) {\n\t\t\t\te.preventDefault();\n    \t\t}\n\t\t}\n\tel>\t\t\t\t<input inputmode="numeric" pattern="[0-9]*" type="text" maxlength="4" id="pin" onkeypress="numberOnly(event)" name="guess"  />\n\t\t<input type="submit" value="Guess" >\n\t\t<div ></div>\n\t</form>\n\t<div >\n\t<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8073186300309643"\n\t     crossorigin="anonymous"></script>\n\t<!-- Guess the Pin -->\n\t<ins \n\t     style="display:block"\n\t     data-ad-client="ca-pub-8073186300309643"\n\t 
    data-ad-slot="8977117641"\n\t     data-ad-format="auto"\n\t     data-full-width-responsive="false"></ins>\n\t<script>\n\t     (adsbygoogle = window.adsbygoogle || []).push({});\n\t</script>\n</div>\t\t\t\t\t\t<div id="footer">\n\t\t<p ><a href="/">Home</a> <a href="/terms">Terms</a>  <a href="/privacy">Privacy</a></p>\n\t\t<p>&copy; 2022 <a href="http://www.boredbutton.com" >Bored Button</a> 
LLC</p>\n\t</div></div>\n</body>\n</html>'

And I tried, the output changes every second so I cant do this:

if res.content == the output above:
  continue

So can you please help me with my two problems I would apperciate it

CodePudding user response:

To brute-force it with help of multiprocessing module (the PIN changes automatically once guessed right):

import requests
from tqdm import tqdm
from multiprocessing import Pool

url = "https://www.guessthepin.com/prg.php"


def guess(num):
    r = requests.post(url, data={"guess": str(num)})
    return num, r.url


if __name__ == "__main__":

    with Pool(32) as pool:
        for num, url in pool.imap_unordered(guess, tqdm(range(1000, 10_000))):
            if url != "https://www.guessthepin.com/":
                break

    print(num, url)

Prints (for example):

 35%|█████████████████████████████                   | 3128/9000 [00:42<01:19, 74.08it/s]
2891 https://www.guessthepin.com/index.php?id=785&pin=2891

CodePudding user response:

import requests

def brute_force(guess: str):
  payload = {'guess': guess}
  response = requests.post('https://www.guessthepin.com/prg.php', data=payload)
  return "is not the PIN" not in response.text

for pin in range(1000, 10000):
  if not brute_force(str(pin)):
    continue

  print(f"The PIN is: {pin}")
  break

  • Edit 1: string conversion is probably not needed, but I kinda too lazy to check if it accepts both numbers and strings.
  • Edit 2: you'd probably should create one requests session and reuse it in every brute_force call, so it'll speed things up a bit.
  • Edit 3: Yes, in such cases you should use some parallel computations to speed things like a lot a lot, so probably use multiprocessing module as show in the other answer, or some asyncio / aiohttp approach, mine answer is only focusing on the simplest solution.
  • Related