exploit the possibilities

Imperva SecureSphere WAF MX 9.5.6 SQL Injection

Imperva SecureSphere WAF MX 9.5.6 SQL Injection
Posted Oct 10, 2013
Authored by Mattia Folador, Giuseppe D'Amore

Imperva SecureSphere WAF MX version 9.5.6 suffers from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | d7f4777d927f3e980ab8c99b62a98141

Imperva SecureSphere WAF MX 9.5.6 SQL Injection

Change Mirror Download
Blind SQL Injection to Imperva SecureSphere Web Application Firewall MX
=======================================================================

[ADVISORY INFORMATION]
Title: Blind SQL Injection on Imperva SecureSphere Web Application Firewall MX
Discovery date: 09/04/2013
Release date: 09/10/2013
Vendor Homepage: www.imperva.com
Version: Imperva SecureSphere WAF MX 9.5.6
Credits: Giuseppe D'Amore (g-damore@outlook.com), Mattia Folador (mattia.folador@gmail.com)

[VULNERABILITY INFORMATION]
Class: Blind SQL Injection

AFFECTED PRODUCTS]
This security vulnerability affects:

* Imperva SecureSphere WAF Management Web Console (MX), version 9.5.6

[VULNERABILITY DETAILS]
The management console of Imperva WAF allows an authenticated user having the only privilege to view lookup dataset, to perform a privilege escalation, and extract through a blind sql injection, the MD5 hash of Administrator's account on the console.

If you inject this query:

stringindatasetchoosen%%' and 1 = any (select 1 from SECURE.CONF_SECURE_MEMBERS where FULL_NAME like '%%dministrator' and rownum<=1 and PASSWORD like '0%') and '1%%'='1

into the search box under the Main Menu->Setup->Global Object->Scope Selection (Data Lookup)->Lookup Data Set, it is possible (depending on whether the query returns true or false) to extract the MD5 hash of the password of the Administrator's account on the console so:

If the query return true then I see the searched string (stringindatasetchoosen), this means that the Administrator MD5 hashed password start with 0 character, by doing this, I can enumerate entire MD5, by injecting query like:

and PASSWORD like '0% -> to find the first character, once you find the first character, I inject:
and PASSWORD like '0a% -> to find second character
and so on until you discover all 32 characters of hash.

[REMEDIATION]
This issue has been addressed by Imperva in the following patch release:

* Patch 8.0 (August 30, 2013)

[DISCLOSURE TIME-LINE]
* 09/04/2012 - Initial vendor contact.

* 11/07/2013 - Imperva confirmed the issue is a new security vulnerability.

* 30/08/2013 - Imperva released a new patch that address the vulnerability.

* 09/10/2013 - Public disclosure.

[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close