Skip to content

DoliBrute is a login brute force tool with captcha bypass for Dolibarr login page.

Notifications You must be signed in to change notification settings

BaadMaro/DoliBrute

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 

Repository files navigation

What is this ?

DoliBrute is a login brute force tool with captcha bypass for Dolibarr login page.

Disclaimer

All information and software available on this page are for educational and authorized purposes only.

Install and dependencies

Installation :

git clone https://github.com/BaadMaro/DoliBrute
cd DoliBrute
pip install -r requirements.txt

Change the variable pytesseract.pytesseract.tesseract_cmd for tesseract binary location and OS.

# Linux
pytesseract.pytesseract.tesseract_cmd = "/usr/bin/tesseract"

# Windows
pytesseract.pytesseract.tesseract_cmd = 'C:/Program Files/Tesseract-OCR/tesseract.exe'

Usage

python3 DoliBrute.py -u http://IP/ -U username -P passwords.txt
 
 _____        _ _ ____             _       
|  __ \      | (_)  _ \           | |      
| |  | | ___ | |_| |_) |_ __ _   _| |_ ___ 
| |  | |/ _ \| | |  _ <| '__| | | | __/ _ \
| |__| | (_) | | | |_) | |  | |_| | ||  __/
|_____/ \___/|_|_|____/|_|   \__,_|\__\___|
  
  DoliBrute is a login brute force tool with captcha bypass for Dolibarr login page.                                        
  V0.1
  Coded by BaadMaro
    
Usage: 
    python3 DoliBrute.py -u http://127.0.0.1/ -U admin -P default-passwords.txt


Options:
  -h, --help     show this help message and exit
  -U USERNAME    specify username
  -P PASSWORDS   specify passwords list
  -u BASE_URL    specify base url with "/" at the end
  --proxy=PROXY  specify proxy with IP:Port

Example

image

With proxy

image

Tested versions

  • [*] 15.0.2

Lab setup with docker

Create docker-compose.yml file as following:

version: "3"

services:
    mariadb:
        image: mariadb:latest
        environment:
            MYSQL_ROOT_PASSWORD: root
            MYSQL_DATABASE: dolibarr

    web:
        image: tuxgasy/dolibarr
        environment:
            DOLI_DB_HOST: mariadb
            DOLI_DB_USER: root
            DOLI_DB_PASSWORD: root
            DOLI_DB_NAME: dolibarr
            DOLI_URL_ROOT: 'http://0.0.0.0'
            PHP_INI_DATE_TIMEZONE: 'Europe/Paris'
        ports:
            - "80:80"
        links:
            - mariadb

Then run all services docker-compose up -d. Now, go to http://0.0.0.0 to access to the new Dolibarr installation.

To do

  • More clean code.
  • HTTPS support ( i need to test it).
  • Erros Handling.
  • ✅ Succes login test case with 302 redirection.
  • OS detection for tesseract_cmd variable.
  • Improve OCR detection.
  • Use a wordlist for usernames.
  • Options for no captcha use.
  • Handle errors messages for other languages (?).
  • verbose mode.
  • Threading.
  • Custom User Agent.
  • ✅ Proxy support.

Kudos

Thanks to some exploits authors in exploit-db, I was inspired by their code :

About

DoliBrute is a login brute force tool with captcha bypass for Dolibarr login page.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages