Few weeks ago I was looking for some (web) apps related to RTSP. Somehow I landed in TurnKeyLinux page where I found a VM with ZoneMinder (1.34.25). Below you will find the details about the (postauth SQLi) bug I was able to spot. Here we go...
This time we'll start here:
When VM was ready I decided to change PHP settings (php.ini) and set display_error to On ("just in case" ;)).
After a while we should be somewhere here:
I decided to run Burp to catch few requests and try them with some 'standard payloads' using Repeater or Intruder tab:
Checking response tab:
And indeed - there is some opportunity to inject additional code:
Moving forward - continuing Intruder tests with Burp:
One of the response(s):
...that I decided to check using sqlmap ;) Like this:
After a while we should be here:
At this stage I decided to dig a bit in the log files. This is what I found:
My next step was to go to the source file and read it:
More:
...and when I started to searching info about this (kind-of-and/or-similar) bug(s) in the ZoneMinder... I found this page. :) Check it out:
So. ;> As you can see: bug is already known and published (with CVE-2023-26034).
Anyhow - it was an interesting journey. :)
Remember to update your ZoneMinder!
See you next time!
Brak komentarzy:
Prześlij komentarz