Rapid7 Vulnerability & Exploit Database

AIS logistics ESEL-Server Unauth SQL Injection RCE

Back to Search

AIS logistics ESEL-Server Unauth SQL Injection RCE

Disclosed
03/27/2019
Created
04/30/2019

Description

This module will execute an arbitrary payload on an "ESEL" server used by the AIS logistic software. The server typically listens on port 5099 without TLS. There could also be server listening on 5100 with TLS but the port 5099 is usually always open. The login process is vulnerable to an SQL Injection. Usually a MSSQL Server with the 'sa' user is in place. This module was verified on version 67 but it should also run on lower versions. An fixed version was created by AIS in September 2017. However most systems have not been updated. In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. Currently, one delivery method is supported This method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.

Author(s)

  • Manuel Feifel

Platform

Windows

Architectures

x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/misc/ais_esel_server_rce
msf exploit(ais_esel_server_rce) > show targets
    ...targets...
msf exploit(ais_esel_server_rce) > set TARGET < target-id >
msf exploit(ais_esel_server_rce) > show options
    ...show and set options...
msf exploit(ais_esel_server_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;