module

Cayin xPost wayfinder_seqid SQLi to RCE

Disclosed
2020-06-04
Created
2020-06-18

Description

This module exploits an unauthenticated SQLi in Cayin xPost wayfinder_meeting_input.jsp file's wayfinder_seqid parameter can be injected
with a blind SQLi. Since this app bundles MySQL and apache Tomcat the
environment is pretty static and therefore the default settings should
work. Results in SYSTEM level access.
Only the java/jsp_shell_reverse_tcp and java/jsp_shell_bind_tcp payloads
seem to be valid.

Authors

h00die
Gjoko Krstic (LiquidWorm) gjoko@zeroscience.mk

Platform

Java,Windows

Architectures

java

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


msf > use exploit/windows/http/cayin_xpost_sql_rce
msf exploit(cayin_xpost_sql_rce) > show targets
...targets...
msf exploit(cayin_xpost_sql_rce) > set TARGET < target-id >
msf exploit(cayin_xpost_sql_rce) > show options
...show and set options...
msf exploit(cayin_xpost_sql_rce) > exploit

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.