#!/usr/bin/python
#+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : Security Manager Plus <= 5.5 build 5505 Remote SYSTEM/root SQLi (Win+Linux)
# Date : 18-10-2012
# Author : xistence (xistence<[AT]>0x90.nl)
# Software link : (Win)
# Software link : (Linux)
# Vendor site :
# Version : 5.5 build 5505 and lower
# Tested on : CentOS 5.x + Windows XP/2008
#
# Vulnerability : The SQL injection is possible on the "Advanced Search", the input is not validated correctly. To make it even worse,
# the search can be accessed without any authentication. Security Manager Plus also has to run as root or SYSTEM user,
# which makes a remote shell with root/SYSTEM privileges possible....
#
# Fix:
# 1. Go to SMP server system and stop SMP service.
# 2. Download the SMP_Vul_fix.zip file from :
# 3. Extract the downloaded file which contains four files : AdvPMServer.jar, AdvPMClient.jar, scanfi.jar and AdventNetPMUnixAgent.jar
# 3. Copy the extracted .jar files to <SMP-HOME>\lib directory (e.g., C:\AdventNet\SecurityManager\lib). [Overwrite the existing jar files and do not rename them]
# 4. Start the SMP service.
#+--------------------------------------------------------------------------------------------------------------------------------+
import urllib, urllib2, cookielib
import sys
import random