Detect form improvements

0bb49931 · Marcin Bury · ef3449a9 · 0bb49931 · 0bb49931
Commit 0bb49931 authored Oct 29, 2016 by Marcin Bury
Show whitespace changes
Inline Side-by-side

Showing with 73 additions and 24 deletions

http_form_bruteforce.py routersploit/modules/creds/http_form_bruteforce.py +36 -12

http_form_default.py routersploit/modules/creds/http_form_default.py +37 -12

No files found.
--- a/routersploit/modules/creds/http_form_bruteforce.py
+++ b/routersploit/modules/creds/http_form_bruteforce.py
@@ -140,26 +140,50 @@ class Exploit(exploits.Exploit):
        r = requests.get(url, verify=False)
        soup = BeautifulSoup(r.text, "lxml")

-        form = soup.find("form")
+        forms = soup.findAll("form")

-        if form is None:
+        if forms is None:
            return None

+        res = []
+        action = None
+        user_name_list = ["username", "user", "user_name", "login", "username_login", "nameinput", "uname", "__auth_user", "txt_user", "txtusername"]
+        password_list = ["password", "pass", "password_login", "pwd", "passwd", "__auth_pass", "txt_pwd", "txtpwd"]
+        found = False
+
+        for form in forms:
+            tmp = []
+
+            if not len(form):
+                continue
+
            action = form.attrs.get('action', None)
+            if action and not action.startswith("/"):
+                action = "/" + action

-        if len(form) > 0:
-            res = []
            for inp in form.findAll("input"):
-                if 'name' in inp.attrs.keys():
-                    if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]:
-                        res.append(inp.attrs['name'] + "=" + "{{USER}}")
-                    elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]:
-                        res.append(inp.attrs['name'] + "=" + "{{PASS}}")
+                attributes = ["name", "id"]
+
+                for atr in attributes:
+                    if atr not in inp.attrs.keys():
+                        continue
+
+                    if inp.attrs[atr].lower() in user_name_list and inp.attrs['type'] != "hidden":
+                        found = True
+                        tmp.append(inp.attrs[atr] + "=" + "{{USER}}")
+                    elif inp.attrs[atr].lower() in password_list and inp.attrs['type'] != "hidden":
+                        found = True
+                        tmp.append(inp.attrs[atr] + "=" + "{{PASS}}")
                    else:
                        if 'value' in inp.attrs.keys():
-                            res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
-                        else:
-                            res.append(inp.attrs['name'] + "=")
+                            tmp.append(inp.attrs[atr] + "=" + inp.attrs['value'])
+                        elif inp.attrs['type'] not in ("submit", "button"):
+                            tmp.append(inp.attrs[atr] + "=")
+
+                if found:
+                    res = tmp
+
+        res = list(set(res))
        return (action, '&'.join(res))

    def target_function(self, running, data):

--- a/routersploit/modules/creds/http_form_default.py
+++ b/routersploit/modules/creds/http_form_default.py
@@ -87,6 +87,7 @@ class Exploit(exploits.Exploit):
        else:
            self.data = self.form

+        print_status("Attacking: ", self.path)
        print_status("Using following data: ", self.data)

        # invalid authentication
@@ -133,26 +134,50 @@ class Exploit(exploits.Exploit):
        r = requests.get(url, verify=False)
        soup = BeautifulSoup(r.text, "lxml")

-        form = soup.find("form")
+        forms = soup.findAll("form")

-        if form is None:
+        if forms is None:
            return None

+        res = []
+        action = None
+        user_name_list = ["username", "user", "user_name", "login", "username_login", "nameinput", "uname", "__auth_user", "txt_user", "txtusername"]
+        password_list = ["password", "pass", "password_login", "pwd", "passwd", "__auth_pass", "txt_pwd", "txtpwd"]
+        found = False
+
+        for form in forms:
+            tmp = []
+
+            if not len(form):
+                continue
+
            action = form.attrs.get('action', None)
+            if action and not action.startswith("/"):
+                action = "/" + action

-        if len(form) > 0:
-            res = []
            for inp in form.findAll("input"):
-                if 'name' in inp.attrs.keys():
-                    if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]:
-                        res.append(inp.attrs['name'] + "=" + "{{USER}}")
-                    elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]:
-                        res.append(inp.attrs['name'] + "=" + "{{PASS}}")
+                attributes = ["name", "id"]
+
+                for atr in attributes:
+                    if atr not in inp.attrs.keys():
+                        continue
+
+                    if inp.attrs[atr].lower() in user_name_list and inp.attrs['type'] != "hidden":
+                        found = True
+                        tmp.append(inp.attrs[atr] + "=" + "{{USER}}")
+                    elif inp.attrs[atr].lower() in password_list and inp.attrs['type'] != "hidden":
+                        found = True
+                        tmp.append(inp.attrs[atr] + "=" + "{{PASS}}")
                    else:
                        if 'value' in inp.attrs.keys():
-                            res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
-                        else:
-                            res.append(inp.attrs['name'] + "=")
+                            tmp.append(inp.attrs[atr] + "=" + inp.attrs['value'])
+                        elif inp.attrs['type'] not in ("submit", "button"):
+                            tmp.append(inp.attrs[atr] + "=")
+
+                if found:
+                    res = tmp
+
+        res = list(set(res))
        return (action, '&'.join(res))

    def target_function(self, running, data):