New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create exploit for CVE-2015-2996/8 (sysaid SQL database cred disclosure) #5474
Conversation
@pedrib You can omit the OSVDB and reference URL entries that is currently having TODO entries. These are causing the travis to fail. Once the OSVDB entries are allocated, another commit can be pushed then. |
} | ||
create_credential_login(database_login_data) | ||
# Skip creating the Login, but tell the user about it if we cannot resolve the DB Server Hostname | ||
rescue SocketError |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this rescue statement should be right after the line:
db_address = Rex::Socket.getaddress(db_address, true)
and all other statements should be outside the begin rescue block. This way it is easy to determine what it is rescue-ing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the comment - what should be the db_address set to then? 127.0.0.1?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I was suggesting like:
if database_url['localhost'] == 'localhost'
db_address = rhost
else
begin
db_address = matches.captures[2]
db_address = (db_address.index(':') ? db_address[0, db_address.index(':')] : db_address)
db_address = Rex::Socket.getaddress(db_address, true)
rescue
print_error "Could not resolve database server hostname."
end
end
This way the rescue is more easy to follow with the begin.
Delayed label applied. Author pinged. |
Addressed two of your comments, please see my comment above for the other one. |
I'm downloading the beta from the home page. If the beta isn't vulnerable anymore would be nice if you could provide us with installer URL if available or just a PCAP for verification (without SSL pls, otherwise a ssl capable proxy would be good enough :)) |
'fileName' => '../conf/serverConf.xml' | ||
}, | ||
}) | ||
rescue Rex::ConnectionRefused |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prolly has more sense to rescue Rex::ConnectionError
which will also take care of Rex::ConnectionRefused
@jvazquez-r7 I've uploaded the vulnerable version to dropbox: These are the vulnerable 14.2 version. Let me know if you need anything else! |
* sysaid SQL database cred disclosure
Thanks @pedrib, landed after some cleanup, see final result here: 29718ce Test:
|
@jvazquez-r7 I'm getting this on mine with your version: msf auxiliary(sysaid_db) > run [-] Auxiliary failed: NoMethodError undefined method ??? |
This module exploits two vulnerabilities in SysAid Help Desk 14.4 to obtain the SQL database credentials. This module has been tested on Windows and Linux.