def check(target):
url = url_processor.checkhttp(target[0], target[1])
try:
r = requests.get(url, verify=False)
head_check = str(r.headers['microsoftsharepointteamservices'])
return head_check
except:
print (red + "[!] " + endc + "No SharePoint found at the given URL. Check your URL and port specification.")
return None
def check(target):
url = url_processor.checkhttp(target[0], target[1])
try:
r = requests.get(url, verify=False)
head_check = str(r.headers['microsoftsharepointteamservices'])
return head_check
except:
print(
red + "[!] " + endc +
"No SharePoint found at the given URL. Check your URL and port specification."
)
return None
def changetarget(full):
# If the full flag is True, just erase the existing Target[] for simplicity
if full:
target[0] = None
target[1] = None
# Do the changes
while True:
tarout = ["", ""]
t = raw_input(cyan + "[?] Please enter a target URL now: " + endc)
tarout[0] = t
target[0] = t # Put on global var...cause I gotta
# First run: No port set, and full = False
if full is not True and target[1] is None:
tarout[1] = changeport()
# Runtime change: Full is true and port has been cleared
elif full is True and target[1] is None:
tarout[1] = changeport() # Call changeport() for runtime change
# If we were just here to get a url, but the port was specified...
elif full is not True and target[1] is not None:
tarout[1] = target[1]
# If we get here, likely the user failed to specify a valid URL the first time and we're rewriting target[]
else:
tarout[1] = changeport()
# Assign that new port to the global variable
target[1] = tarout[1]
tarout[0] = url_processor.checkhttp(
t, tarout[1]) # Process the target string
if check(tarout) is not None:
# With the new port, go ahead and correct the target specification for the protocol
return tarout
else:
# Loop again, but set full to True, b/c we need to overwrite what was previously specified.
full = True
continue
def changeport():
while True:
try:
port = raw_input(cyan + "[?] Enter target port (80 or 443): " + endc)
port = int(port)
if port == 80 or 443:
break
except:
print(yellow + "[!] Bad Port. Try again." + endc)
# Check for a standard port number
var = url_processor.checkhttp(target[0], port)
if var is not None:
target[1] = var
# If a non standard port was identified, call self
else:
port = changeport()
return port
def changetarget(full):
# If the full flag is True, just erase the existing Target[] for simplicity
if full:
target[0] = None
target[1] = None
# Do the changes
while True:
tarout = ["", ""]
t = raw_input(cyan + "[?] Please enter a target URL now: " + endc)
tarout[0] = t
target[0] = t # Put on global var...cause I gotta
# First run: No port set, and full = False
if full is not True and target[1] is None:
tarout[1] = changeport()
# Runtime change: Full is true and port has been cleared
elif full is True and target[1] is None:
tarout[1] = changeport() # Call changeport() for runtime change
# If we were just here to get a url, but the port was specified...
elif full is not True and target[1] is not None:
tarout[1] = target[1]
# If we get here, likely the user failed to specify a valid URL the first time and we're rewriting target[]
else:
tarout[1] = changeport()
# Assign that new port to the global variable
target[1] = tarout[1]
tarout[0] = url_processor.checkhttp(t, tarout[1]) # Process the target string
if check(tarout) is not None:
# With the new port, go ahead and correct the target specification for the protocol
return tarout
else:
# Loop again, but set full to True, b/c we need to overwrite what was previously specified.
full = True
continue
def changeport():
while True:
try:
port = raw_input(cyan + "[?] Enter target port (80 or 443): " +
endc)
port = int(port)
if port == 80 or 443:
break
except:
print(yellow + "[!] Bad Port. Try again." + endc)
# Check for a standard port number
var = url_processor.checkhttp(target[0], port)
if var is not None:
target[1] = var
# If a non standard port was identified, call self
else:
port = changeport()
return port
#####################################################################################
# Handle target specification. This can come in the following combinations:
# 1; Port but no target
# 2; target but no port
# 3; Neither target nor port
# 4; Both provided
# Right now, if the target is blank, then both must be set manually, eliminating (2)
#####################################################################################
# A Target was provided
if args.t is not None:
# A port was also provided
if args.p is not None:
target[0] = args.t # Assign values
target[1] = int(args.p)
target[0] = url_processor.checkhttp(target[0], target[1]) # check URL
# If the user provided a target but no port
elif args.p is None:
print(red + "[!]" + " Target specified on command line, but no port! Use -p to specify the port!")
sys.exit(0)
# No Target was provided...
elif args.t is None:
# A port was provided, but no target
if args.p is not None:
print(red + "[!]" + " Port specified on command line, but no target! Use -t to specify the target!")
sys.exit(0)
# Nothing was provided...
elif args.p is None:
def enumusers(target, start=None, end=None, creds=None):
results = [] # Results Container
failures = [] # Failure Container to retry with Force
if start is None: # Assign default Start and End values
start = 1
sys.stdout.write(yellow + "[!] " + endc + "No start value provided, starting at UID=%d" % start + endc)
sys.stdout.write("\n")
if end is None:
end = 10
sys.stdout.write(yellow + "[!] " + endc + "No stop value provided, stopping at UID=%d" % end + endc)
sys.stdout.write("\n")
# Ensure proper target specification
target = url_processor.checkhttp(target[0], target[1]) # Check traget formatting
# Begin requesting pages
for i in range(start, end): # From start to end...
r = target + "/UserDisp.aspx?ID=" + str(i) # Compiled request string
sys.stdout.write(yellow + "\r[...] Trying %s" % r + endc)
try:
if creds is not None:
page = requests.get(r, HttpNtlmAuthentication=creds) # Open the page
if creds is None:
page = requests.get(r)
# Check for 2xx HTTP response and false positive indicators
code_match = re.search("[2**]", str(page.status_code))
nf_match = re.search("Not Found",
page._content) # Gotta regex for Not Found to avoid capitalization variations
if code_match is not None and page._content.__contains__("404") is False and nf_match is None:
results.append(i) # Add to results if successful
sys.stdout.flush()
else:
failures.append(i) # Add to Failures to retry with Force
sys.stdout.flush()
except: # Handle things that go badly...
sys.stdout.write(red + "\n[X] " + endc + "Unexpected Error in enumusers()\n" + endc)
sys.stdout.write(
yellow + "\n[!] " + endc + "Re-attempting failed IDs with the Force parameter set to True..." + endc)
sys.stdout.write("\n")
# Re-request all users with ?Force = True
for user in failures:
r = target + "/UserDisp.aspx?ID=" + str(user) + "?Force=True" # Request string with True parameter
sys.stdout.write(yellow + "\r[...] Retrying %s" % r + endc)
try:
if creds is not None:
page = requests.get(r, HttpNtlmAuthentication=creds) # Open the page
if creds is None:
page = requests.get(r)
code_match = re.search("[2**]", str(page.status_code)) # Check for success code 2xx
nf_match = re.search("Not Found",
page._content) # Gotta regex for Not Found to avoid capitalization variations
if code_match is not None and page._content.__contains__("404") is False and nf_match is None:
results.append(user) # Add to results if successful, remove from Failures
failures.remove(user)
else:
pass
except: # Handle things that go badly...
sys.stdout.write(red + "\n[X] " + endc + "Unexpected Error in enumusers(), failures loop" + endc)
sys.stdout.flush()
logging.info("UserID Brute Force Completed.")
sys.stdout.write("\n")
return results # Return array of successful IDs
#####################################################################################
# Handle target specification. This can come in the following combinations:
# 1; Port but no target
# 2; target but no port
# 3; Neither target nor port
# 4; Both provided
# Right now, if the target is blank, then both must be set manually, eliminating (2)
#####################################################################################
# A Target was provided
if args.t is not None:
# A port was also provided
if args.p is not None:
target[0] = args.t # Assign values
target[1] = int(args.p)
target[0] = url_processor.checkhttp(target[0],
target[1]) # check URL
# If the user provided a target but no port
elif args.p is None:
print(
red + "[!]" +
" Target specified on command line, but no port! Use -p to specify the port!"
)
sys.exit(0)
# No Target was provided...
elif args.t is None:
# A port was provided, but no target
if args.p is not None:
print(
red + "[!]" +
def enumusers(target, start=None, end=None, creds=None):
results = [] # Results Container
failures = [] # Failure Container to retry with Force
if start is None: # Assign default Start and End values
start = 1
sys.stdout.write(yellow + "[!] " + endc +
"No start value provided, starting at UID=%d" %
start + endc)
sys.stdout.write("\n")
if end is None:
end = 10
sys.stdout.write(yellow + "[!] " + endc +
"No stop value provided, stopping at UID=%d" % end +
endc)
sys.stdout.write("\n")
# Ensure proper target specification
target = url_processor.checkhttp(target[0],
target[1]) # Check traget formatting
# Begin requesting pages
for i in range(start, end): # From start to end...
r = target + "/UserDisp.aspx?ID=" + str(i) # Compiled request string
sys.stdout.write(yellow + "\r[...] Trying %s" % r + endc)
try:
if creds is not None:
page = requests.get(
r, HttpNtlmAuthentication=creds) # Open the page
if creds is None:
page = requests.get(r)
# Check for 2xx HTTP response and false positive indicators
code_match = re.search("[2**]", str(page.status_code))
nf_match = re.search(
"Not Found", page._content
) # Gotta regex for Not Found to avoid capitalization variations
if code_match is not None and page._content.__contains__(
"404") is False and nf_match is None:
results.append(i) # Add to results if successful
sys.stdout.flush()
else:
failures.append(i) # Add to Failures to retry with Force
sys.stdout.flush()
except: # Handle things that go badly...
sys.stdout.write(red + "\n[X] " + endc +
"Unexpected Error in enumusers()\n" + endc)
sys.stdout.write(
yellow + "\n[!] " + endc +
"Re-attempting failed IDs with the Force parameter set to True..." +
endc)
sys.stdout.write("\n")
# Re-request all users with ?Force = True
for user in failures:
r = target + "/UserDisp.aspx?ID=" + str(
user) + "?Force=True" # Request string with True parameter
sys.stdout.write(yellow + "\r[...] Retrying %s" % r + endc)
try:
if creds is not None:
page = requests.get(
r, HttpNtlmAuthentication=creds) # Open the page
if creds is None:
page = requests.get(r)
code_match = re.search("[2**]", str(
page.status_code)) # Check for success code 2xx
nf_match = re.search(
"Not Found", page._content
) # Gotta regex for Not Found to avoid capitalization variations
if code_match is not None and page._content.__contains__(
"404") is False and nf_match is None:
results.append(
user) # Add to results if successful, remove from Failures
failures.remove(user)
else:
pass
except: # Handle things that go badly...
sys.stdout.write(red + "\n[X] " + endc +
"Unexpected Error in enumusers(), failures loop" +
endc)
sys.stdout.flush()
logging.info("UserID Brute Force Completed.")
sys.stdout.write("\n")
return results # Return array of successful IDs
