Simple script to extract historical shipping data from an uruguayan courier's website (Exur)
⚠ WARNING: it was reported to Exur and they fixed it on August 2021
This was made with no malicious intent. It was made only for research purposes, a bit of fun, and honest concern for a website I personally use. It shouldn't be used to extract any real data from this or any other website. Feel free to use or modify at your own risk.
The purpose of this work was to show the dangers of a poorly configured web application. This security flaw was reported to the owners, so it shouldn't be possible to exploit it by now.
Exur's website has a bunch of frontend logic that should be in the backend. It uses javascript for a lot of frontend validations and redirects to other pages within the platform.
I will briefly describe below my main findings
When you're checking your shippings page, you get a list of your shipping numbers. Once you click on any, you access a page with all its details (all your personal information, payment information, tracking stuff and some more). You get seemingly redirected to https://www.exurenvios.com/Sistema/Consulta-envio-detalle-completo-cliente.aspx but in reality it loads https://www.exurenvios.com/Sistema/Consulta-envio-detalle-completo-redirect.aspx?CodEnvio={NUMBER}, and then your shipping number gets hidden.
Yes, you guessed correctly: you can check ANY shipping number, not just yours, just by having a valid session token (in other words, just a valid logged-in account).
Shipping numbers are just a sequential ID with no encryption or at least some obscure encoding. If you're a math connoisseur like myself, you can easily guess the next shipping number by computing this complex calculation: n + 1 (or n - 1 for a previous shipping).
Web servers have no rate-limit for a shipping request, so you can shoot GET and POST bullets for as long as you want, as fast as you can.
Based on the those findings, you can easily write a script (or "exploit") to automate the task of getting any shipping details, which is exactly what this repository is about. This python code is a bit self explanatory, so I won't get too technical here. Feel free to contact me if you have any questions.
Basically exur.py handles a session and exposes some methods to get a shipping data, and exploit.py creates a bunch of threads, each of them requests a range of shipping numbers and save their details in a CSV file.
Below are the steps to run it yourself.
Good ol' pip install -r requirements.txt
Rename .env.tmp to .env and modify accordingly, specifically EXUR_USERNAME and EXUR_PASSWORD.
EXUR_USERNAME = "CHANGEME"
EXUR_PASSWORD = "CHANGEME"
EXUR_SHIPPING_START = 1024597
EXUR_SHIPPING_END = 1484206
EXUR_THREADS = 3
EXUR_CSV_FILE = "data/data%s.csv"
EXUR_CSV_SEPARATOR = ";"
EXUR_ENCODING = "UTF-8"
python exploit.py
This could take a while, depending on the defined shipping range, threads, computing power and so on.
Once it's done, you'll see a bunch of .csv files in your data folder. They have no headers, but here they are for reference:
number;sender_name;sender_address;sender_city;sender_phone;sender_mobile;recipient_name;recipient_address;recipient_address;recipient_phone;recipient_mobile;way_to_pay;payment_method;shipping_weight;total;bill_number;declared_value;customs_declaration
"1111111";"SOME NAME (ID)";"1111 RANDOM STREET";"New Jersey Belleville";"Tel.: 999 759 6666";"";"SOME EXUR CLIENT NAME (EXUR ID)";"FAKE ADDRESS 6666";"Montevideo Montevideo";"Tel.: 2666 6666";"Cel.: 099 999 999";"PRE-PAGO";"PAGO EN EFECTIVO";"1 Lbs";"10.00";"0";"1.00";"";"OK: Entregado al Cliente";""
GNU GPL v3