Description
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands as long as there is a valid session registered in the centreon.session table. In order to have a valid session, all it takes is a successful login from anybody. The exploit itself does not require any authentication.
This module has been tested successfully on Centreon Enterprise Server 2.2.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/centreon_sqli_execmsf undefined(centreon_sqli_exec) > show actions ...actions...msf undefined(centreon_sqli_exec) > set ACTION < action-name >msf undefined(centreon_sqli_exec) > show options ...show and set options...msf undefined(centreon_sqli_exec) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub