## https://sploitus.com/exploit?id=DF4B9CEA-E303-58EF-9626-AF299FEA21E6
# ZoneMinder Time-Based SQL Injection (CVE-2024-51482)
## ๐ Vulnerability Overview
- **CVE ID:** CVE-2024-51482
- **Advisory:** GHSA-qm8h-3xvf-m7j3
- **Affected versions:** ZoneMinder 1.37.* up to (and including) 1.37.64
- **Patched version:** 1.37.65
## ๐ Description
This repository contains a high-performance, parallelized proof-of-concept (PoC) exploit (`Exploit.py`) for a Blind SQL Injection vulnerability found in ZoneMinder versions 1.37.* up to 1.37.64.
### Vulnerability Root Cause & Impact
According to [GHSA-qm8h-3xvf-m7j3](https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-qm8h-3xvf-m7j3), the vulnerability originates in `web/ajax/event.php` when handling the `removetag` action. The `tid` (TagId) parameter is read from the request and insecurely concatenated directly into a SQL statement:
```php
$tagId = $_REQUEST['tid'];
// ...
$sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
$rowCount = dbNumRows($sql);
```
Because `$tagId` is not parameterized before being passed to `dbNumRows()`, an authenticated attacker can inject arbitrary SQL commands using boolean-based or time-based SQL injection techniques (the PoC presented here leverages `SLEEP()`).
This allows for total control of SQL Databases, leading to a loss of data confidentiality and integrity, and potentially Denial of Service (DoS) via persistent sleep commands.
### Mitigation
As of version 1.37.65, the SQL queries have been properly parameterized. The vulnerable block was patched to construct a secure query:
```php
$sql = "SELECT * FROM Events_Tags WHERE TagId = ?";
$rowCount = dbNumRows($sql, $tagId);
```
### Exploit Script
The v2.0 FAST EXPLOIT script significantly speeds up data extraction by up to 5x using multi-threading, an optimized character frequency search, and dynamic threshold calibration to aggressively extract user credentials (`Username:Password`) from the `zm.Users` database table.
## ๐ Exploit Details (`Exploit.py` v2.0 FAST EXPLOIT)
### Features
- **Parallel Extraction:** Utilizes a ThreadPoolExecutor (default 5 workers) to extract multiple characters simultaneously, drastically reducing overall extraction time compared to traditional sequential blind SQLi.
- **Frequency Optimized Search:** Checks the most statistically common password and English characters first before falling back to binary search, minimizing the number of average requests per character.
- **Exponential Length Detection:** Uses a fast exponential step-search followed by binary search to determine the exact length of the target string before parallel extraction begins.
- **Dynamic Threshold Calibration:** Automatically calibrates the baseline response time (threshold) at startup to accurately differentiate between network lag and legitimate SQL execution delays.
- **Selective Dumping:** Supports extracting credentials for a specific username or sequentially dumping the entire `zm.Users` table.
### Vulnerable Endpoint & Parameters
- **URL:** default `http:///zm/index.php`
- **Parameters:** `view=request&request=event&action=removetag`
- **Vulnerable Parameter:** `tid`
## ๐ ๏ธ Usage Analysis
```bash
python3 Exploit.py
```
Upon execution, the script runs in an interactive mode and prompts for the following:
1. **Target URL:** The path to the ZoneMinder `index.php` file (e.g., `http://zoneminder.local/zm/index.php`).
2. **ZMSESSID Cookie Value:** This exploit requires authentication. Provide a valid `ZMSESSID` cookie representing an active session.
3. **Target Username (Optional):** Enter a specific user to extract credentials for, or leave it blank to auto-detect and dump the entire `zm.Users` table.
A file named `extracted_data.txt` is automatically created with the dumped credentials (in `Username:Password` format). The script also displays real-time execution statistics including total elapsed time and the total number of HTTP requests sent.
## ๐ References
- [GitHub Security Advisory GHSA-qm8h-3xvf-m7j3](https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-qm8h-3xvf-m7j3)
- [NVD Entry โ CVE-2024-51482](https://nvd.nist.gov/vuln/detail/CVE-2024-51482)
- [ZoneMinder Official Site](https://zoneminder.com/)
---
**Disclaimer:** This exploit script is intended strictly for educational purposes and authorized penetration testing. Do not use this tool against systems you do not own or possess explicit permission to test.