"Alienvault Open Source SIEM (OSSIM) 4.1 - Multiple SQL Injection Vulnerabilities"

Author

Exploit author

"Glafkos Charalambous"

Platform

Exploit platform

php

Release date

Exploit published date

2013-06-24

                
                    
                         Download file
                    
                
            
# Title: 	Alienvault OSSIM Open Source SIEM 4.1 Multiple SQL Vulnerabilities
# Date:         February 15, 2013
# Author:       Glafkos Charalambous
# Vendor:       AlienVault
# Vendor URL:   http://www.alienvault.com
# Reported:	February 17, 2013

Timeline:
---------
17 Feb 2013: Vulnerability Reported to AlienVault
19 Feb 2013: Sales Department replied if interested to migrate from OSSIM to AlienVault
19 Feb 2013: Asked if there is someone that can handle the security issues
22 Feb 2013: No Vendor response
22 Jun 2013: Public Disclosure

Vendor Description:
-------------------
OSSIM is the most widely used SIEM offering, thanks in no small part to the open source 
community that has promoted its use. OSSIM provides all of the capabilities that a security 
professional needs from a SIEM offering, event collection, normalization, correlation and 
incident response - but it also does far more. Not simply satisfied with integrating data 
from existing security tools, OSSIM is built on the Unified Security Management platform 
which provides a common framework for the deployment, configuration, and management of your 
security tools.


Vulnerability Details:
----------------------

Blind SQL Injection vulnerabilities detected in the Alienvault OSSIM Open Source SIEM 4.1 product:

Example POC:

Get Parameter: sensor
https://[host]/ossim/forensics/base_qry_main.php?new=1&num_result_rows=-1&sensor=SQL_INJECTION&submit=Query

Get Parameter: tcp_flags
https://[host]/ossim/forensics/base_stat_alerts.php?ossim/forensics/base_stat_alerts.php?current_view=-1
&layer4=TCP&num_result_rows=-1&sort_order=occur_d&tcp_flags[0]=SQL_INJECTION&tcp_port[0][0]= 
&tcp_port[0][1]=layer4_sport&tcp_port[0][2]==&tcp_port[0][3]=16315 &tcp_port[0][4]= &tcp_port[0][5]= &tcp_port_cnt=1

Get Parameter: tcp_port
https://[host]/ossim/forensics/base_stat_alerts.php?current_view=-1&layer4=TCP&num_result_rows=-1&sort_order=occur_d
&tcp_flags[0]=&tcp_port[0][0]= &tcp_port[0][1]=layer4_sport&tcp_port[0][2]==&tcp_port[0][3]=16315 
&tcp_port[0][4]=SQL_INJECTION&tcp_port[0][5]= &tcp_port_cnt=1

GetParameter: ip_addr
https://[host]/ossim/forensics/base_stat_ports.php?ip_addr[0][0]= &ip_addr[0][1]=ip_src&ip_addr[0][2]==
&ip_addr[0][3]=192.168.0.11&ip_addr[0][8]= &ip_addr[0][9]=AND&ip_addr[1][0]= &ip_addr[1][1]=ip_dst&ip_addr[1][2]==
&ip_addr[1][3]=0.0.0.0&ip_addr[1][8]=SQL_INJECTION&ip_addr[1][9]= &ip_addr_cnt=2&port_type=2&proto=6

Get Parameter: port_type
https://[host]/ossim/forensics/base_stat_ports.php?ip_addr[0][0]= &ip_addr[0][1]=ip_src&ip_addr[0][2]==
&ip_addr[0][3]=0.0.0.0&ip_addr[0][8]= &ip_addr[0][9]=AND&ip_addr[1][0]= &ip_addr[1][1]=ip_dst&ip_addr[1][2]==
&ip_addr[1][3]=0.0.0.0&ip_addr[1][8]= &ip_addr[1][9]= &ip_addr_cnt=2&port_type=SQL_INJECTION&proto=6


SQL Injection vulnerabilities detected in the Alienvault OSSIM Open Source SIEM 4.1 product:

Example POC:

Get Parameter: sortby 
https://[host]/ossim/vulnmeter/index.php?allres=1&op=search&rvalue=1&sortby=SQL_INJECTION&submit=Find&type=scantime&withoutmenu=1

Get Parameter: rvalue
https://[host]/ossim/vulnmeter/index.php?allres=1&op=search&rvalue=SQL_INJECTION&sortby=&submit=Find&type=scantime&withoutmenu=1

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting"	webapps	php	"Hemant Patidar"
2020-12-02	"WordPress Plugin Wp-FileManager 6.8 - RCE"	webapps	php	"Mansoor R"
2020-12-02	"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution"	webapps	php	zetc0de
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Simple College Website 1.0 - 'page' Local File Inclusion"	webapps	php	Mosaaed
2020-12-02	"Car Rental Management System 1.0 - SQL Injection / Local File include"	webapps	php	Mosaaed
2020-12-02	"Pharmacy Store Management System 1.0 - 'id' SQL Injection"	webapps	php	"Aydın Baran Ertemir"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"WonderCMS 3.1.3 - Authenticated Remote Code Execution"	webapps	php	zetc0de
2020-12-01	"Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS"	webapps	php	yunaranyancat

Release Date	Title	Type	Platform	Author
2017-12-27	"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)"	webapps	aspx	"Glafkos Charalambous"
2015-09-08	"Cisco Sourcefire User Agent 2.2 - Insecure File Permissions"	local	windows	"Glafkos Charalambous"
2015-03-14	"Intel Network Adapter Diagnostic Driver - IOCTL Handling"	dos	windows	"Glafkos Charalambous"
2015-01-22	"Cisco Ironport Appliances - Privilege Escalation"	remote	hardware	"Glafkos Charalambous"
2014-10-22	"DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload (Metasploit)"	webapps	windows	"Glafkos Charalambous"
2014-10-22	"iBackup 10.0.0.32 - Local Privilege Escalation"	local	windows	"Glafkos Charalambous"
2013-06-24	"Alienvault Open Source SIEM (OSSIM) 4.1 - Multiple SQL Injection Vulnerabilities"	webapps	php	"Glafkos Charalambous"
2012-09-20	"Thomson Wireless VoIP Cable Modem - Authentication Bypass"	webapps	hardware	"Glafkos Charalambous"
2011-06-04	"Xitami Web Server 2.5b4 - Remote Buffer Overflow (Egghunter)"	remote	windows	"Glafkos Charalambous"
2011-06-04	"OpenDrive 1.3.141 - Local Password Disclosure"	local	windows	"Glafkos Charalambous"
2010-08-25	"Adobe InDesign CS4 - 'ibfs32.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-25	"Adobe Illustrator CS4 - 'aires.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-25	"Adobe Premier Pro CS4 - 'ibfs32.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-25	"Skype 4.2.0.169 - 'wab32.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-25	"Adobe On Location CS4 - 'ibfs32.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-25	"Adobe Device Central CS5 - 'qtcf.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-24	"TeamViewer 5.0.8703 - 'dwmapi.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-24	"Mozilla Firefox 3.6.8 - 'dwmapi.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-24	"Adobe Dreamweaver CS4 - 'ibfs32.dll' DLL Hijacking"	local	windows	"Glafkos Charalambous"
2010-08-17	"Triologic Media Player 8 - '.m3u' Universal Unicode Local Buffer Overflow (SEH)"	local	windows	"Glafkos Charalambous"
2010-08-16	"MUSE 4.9.0.006 - '.pls' Universal Local Buffer Overflow (SEH)"	local	windows	"Glafkos Charalambous"
2010-08-16	"MUSE 4.9.0.006 - '.m3u' Local Buffer Overflow"	local	windows	"Glafkos Charalambous"
2010-08-11	"EasyFTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflows"	remote	windows	"Glafkos Charalambous"
2009-01-11	"DZcms 3.1 - SQL Injection"	webapps	php	"Glafkos Charalambous"
2008-11-24	"WebStudio CMS - Blind SQL Injection"	webapps	php	"Glafkos Charalambous"
2007-06-07	"WMSCMS 2.0 - Multiple Cross-Site Scripting Vulnerabilities"	webapps	php	"Glafkos Charalambous"
2007-06-04	"WebStudio CMS - 'index.php' Cross-Site Scripting"	webapps	php	"Glafkos Charalambous"
2007-06-01	"Evenzia Content Management Systems (CMS) - Cross-Site Scripting"	webapps	php	"Glafkos Charalambous"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Alienvault Open Source SIEM (OSSIM) 4.1 - Multiple SQL Injection Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.