Steal-kill, write-download

    In January of this year , a vulnerability was found in one of the ICQ services . It was associated with access to files that users once transferred to each other. The vulnerability has been eliminated, but such situations are by no means unique.
    Below we look at another service designed for file sharing between users.
    image

    Today, one of the customers sent me TK using droplr.com. The service is really convenient. I do not use all kinds of dropboxes and the like just because of the low speed of the Internet. But I liked this service, everything is quite convenient, the interface, clients for various platforms, but most importantly, you can download other people's files.
    When I clicked on the link from the customer, it became clear that the link shortener was used on droplr. As a result, the page for downloading the file looks like this: d.pr[a-z]{1}/[A-z0-9]{4}

    In the case of the first entry, only one lowercase character is used, which, as time has shown, is completely indifferent to the system.

    The second sequence of 4 characters may consist of lowercase, uppercase Latin characters and numbers.
    Given that the service is used by a huge mass of people, we can assume that with the brute force of the second parameter, we will often stumble on other people's files, because the total number of possible options is 14776336.

    Usually, I write such tasks in PHP or bare BASH, there is everything you need, right out of the box. But I need to develop, so I decided to focus on Python, since I already have some experience with it.

    Judging by the task, we need to somehow access the service, in Python there are many implementations and interfaces for this, I decided to stop on requests , since this library has all the requirements that we need.

    In case you have pip, then the installation will take only a few seconds.

    pip install requests

    There is a powerful library for parsing a page called BeautifulSoup . Installation through pip is also elementary.
    pip install beautifulsoup4

    You can download the script on GitHub .

    As I thought, after the first 5 minutes of work, about 10 images with personal data were found, and even what! Admin site, including some user data. And here are the phone numbers. One day in the life of LR. From discharge, to a friend, buy at my expense. I think this is enough to demonstrate 5 minutes of the script. Be vigilant, do not publish personal and especially payment data on the network.







    image








    Some features


    There are absolutely no bot checks on the site. We do not even need to send an agent user. Naturally, no ban for multiple requests follows.
    A direct link to a file lives for about a minute, a new link can only be obtained after visiting the file download page.
    About 80% of random links point to files.

    UP # 1 user lybin added multithreading support .
    UP # 2 there is no longer a HEAD request, all in one GET, User Agent, Referer and timeout added.

    Also popular now: