module

Cayin xPost wayfinder_seqid SQLi to RCE

Disclosed	Created
Jun 4, 2020	Jun 18, 2020

Disclosed

Jun 4, 2020

Created

Jun 18, 2020

Description

This module exploits an unauthenticated SQLi in Cayin xPost wayfinder_meeting_input.jsp file's wayfinder_seqid parameter can be injected
with a blind SQLi. Since this app bundles MySQL and apache Tomcat the
environment is pretty static and therefore the default settings should
work. Results in SYSTEM level access.
Only the java/jsp_shell_reverse_tcp and java/jsp_shell_bind_tcp payloads
seem to be valid.

Authors

h00die
Gjoko Krstic (LiquidWorm) [email protected]

Platform

Java,Windows

Architectures

java

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/windows/http/cayin_xpost_sql_rce
    msf exploit(cayin_xpost_sql_rce) > show targets
        ...targets...
    msf exploit(cayin_xpost_sql_rce) > set TARGET < target-id >
    msf exploit(cayin_xpost_sql_rce) > show options
        ...show and set options...
    msf exploit(cayin_xpost_sql_rce) > exploit

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today