Blazy icon indicating copy to clipboard operation
Blazy copied to clipboard

Published 20 hours ago verified publisher icon s0md3v

Add multi-threading support

Open fernando24164 opened this issue 7 years ago • 8 comments

Hi,

I added a ThreadPoolExecutor when brute method is called. I test it and seems to work as the master branch.

fernando24164 avatar Nov 19 '17 18:11 fernando24164

Thanks for the contribution mate. I will merge it if it works as expected. If there's any error or other problem I will let you know. Regards!

s0md3v avatar Nov 21 '17 17:11 s0md3v

Hi, I tested your fork on a target and it failed while original script gets it right.

[?] Enter target URL: *******.com/login.php
[+] Heuristic found a Clickjacking Vulnerability
[+] Heuristic found a CSRF Vulnerability
[>] Usernames loaded: 13
[>] Passwords loaded: 25
[!] Username field: name
[!] Password field: password
[!] Cannot use brute force with user name.
    [Error: __init__() takes exactly 2 arguments (1 given)]
[-] No forms found

s0md3v avatar Nov 21 '17 17:11 s0md3v

I check the code I testing it with the login form of Wordpress 4.9 without problems. Regards

fernando24164 avatar Nov 21 '17 20:11 fernando24164

Try this one: bestpower.in.th/login.php

s0md3v avatar Nov 22 '17 03:11 s0md3v

Sorry, but I can't reproduce this error. Mechanize get the request and the flow continue as "normal". I see the error message of your message. It seems that mechanize lib didn't get the response. Can you try again and check if you get a response ?

fernando24164 avatar Nov 22 '17 20:11 fernando24164

@thehappydinoa @gustavosnovaes @rogerzanoni Can you guys please check this fork on your machines so we can make sure its not a problem related to my configuration?

s0md3v avatar Nov 23 '17 18:11 s0md3v

@UltimateHackers worked fine on arch linux, python 2.7.14, but I get the "No forms found" message in the end as well:

$ python blazy.py ____ _
| _ \ | |
| |) || | __ _ ____ _ _ | _ < | | / ` || /| | | | | |) || || (| | / / | || | |/ || _,|/| _, | / | Made with <3 By D3V |/

[?] Enter target URL: http://localhost [+] Heuristic found a Clickjacking Vulnerability [+] Heuristic found a CSRF Vulnerability [>] Usernames loaded: 13 [>] Passwords loaded: 25 [!] Username field: username [!] Password field: password [>] Bruteforcing username: 'or' '=' [>] Passwords tried: 25 / 25 [>] Bruteforcing username: ' or true-- [>] Passwords tried: 25 / 25 [>] Bruteforcing username: root [>] Passwords tried: 25 / 25 [>] Bruteforcing username: admin [>] Passwords tried: 5 / 25 [+] Valid credentials found: Username: admin Password: password [-] No forms found (venv)

Tested using vulnerables/web-dvwa docker image

rogerzanoni avatar Nov 25 '17 04:11 rogerzanoni

Thanks for the feedback. I added a conditional clause to check the length of the forms.

fernando24164 avatar Nov 25 '17 17:11 fernando24164